SPECIAL  REPORT:  Jo6a!fs 

Iorgatirzed  crime  is  nirfible 
and  effeictive  in  both 
I  the  physical  and  digital  S 
worlds.  PAGE  28 


www.csoonline.com  $9.00  September  20! 


>1-  ! 

i 

TT 

% 

[  1  I- 

t 

T  1 

ro 

1 

p 

i 

•PI 

1 

1 

y 

1 

IGII 

i 

VI 

i 

Rl 

ELESS INTRU 

i' 

DERS  PAGE  22  1 

■ 

mm 

i^E 

s 

1 

1' 

VF^y  --u 

Smarter  technology  for  a  Smarter  Planet: 


Service  in  the  age 
of  smart  assets. 


Smart  assets  are  making  it  possible  to  spread  intelligence  far  beyond 
the  four  walls  of  the  datacenter  into  everything  from  power  lines 
to  railroad  lines  to  assembly  lines.  The  challenge  is:  how  do  you 
choreograph  these  two  worlds— the  physical  and  the  digital— to 
provide  the  quality  services  your  customers  expect  and  the  flexibility 
your  business  needs? 

IBM’s  approach  to  service  management  can  help  you  extend  greater 
visibility,  control  and  automation  through  all  of  your  company’s 
services— inside  and  out— so  you  can  easily  modify  existing  services 
or  quickly  add  new  ones,  laying  the  groundwork  for  a  more  dynamic 
infrastructure.  We’re  helping  companies  ail  over  the  world- 20  of  the 
20  top  telcos,  10  of  the  20  biggest  utilities  and  7  of  the  10  largest 
automotive  manufacturers— reach  beyond  the  datacenter  to  deliver 
quality  service  and  respond  quickly  to  the  demands  of  a  smarter  planet. 

A  smarter  business  needs  smarter  software,  systems  and  services. 
Let’s  build  a  smarter  planet,  ibm.com/svcmgmt 


\  I  / 


IBM,  the  IBM  logo,  ibm.com,  Smarter  Planet  and  the  planet  icon  are  trademarks  of  International  Business  Machines  Corp.,  registered  in  many  jurisdictions  worldwide.  Other 
product  and  service  names  might  be  trademarks  of  IBM  or  other  companies.  A  current  list  of  IBM  trademarks  is  available  on  the  Web  at  www.ibm.com/legal/copytrade.shtml. 


'A-  , 


■ti' 


.■v 


a 


September,  2009  V0I.8,  No.  7 


Features... 


28  Special  Report: 
The  Mob  and  You 

In  the  physical  and  digital  worlds, 
organized  crime  is  a  growing  head¬ 
ache  for  corporate  CSOs.  Here’s  your 
guide  to  the  new  Mob. 

By  Michael  Fitzgerald 


30  Smash  and  Grab 

Small,  loosely  connected  gangs 
illustrate  the  challenge  of  stopping 
organized  retail  theft. 


33  Made  Men  in 
Cyberspace 

The  shadow  economy  for  stolen  iden¬ 
tity  and  account  information  contin¬ 
ues  to  evolve. 


Also  Inside... 


4  From  the  Editor 
6  From  the  Publisher 
9  Briefing 

■  Trojan  Clampi  spreads 
via  Windows  networks 

■  Four  ways  to  catch  a  liar 

■  The  day  a  hacker  made 
Twitter  go  away 

■  Mass  201 CMR 17:  A  survival 
guide  for  the  anxious 

■  A  new  tea  party? 

■  Fast-food  FAIL 


22  Sensing  Trouble 
Toolbox  Wireless  intrusion 
prevention  and  detection 
systems  aim  to  defeat  evil 
twins  and  other  tricky  hacks. 
ByMaryBrandel 

36  A  Day  in  the  Life  of  Two 
IT  Security  Cranks 

Undercover  Two  IT  security 
guys  survive  a  routine  day  the 
way  many  of  us  do:  by  venting 
away  their  daily  challenges  in 
140  characters  or  less. 

By  Anonymous 


18  Join  the  Discussion 

Top  ten  reasons  you  know 
your  CISO  must  go;  California 
joins  other  states  in  address¬ 
ing  electronic  evidence;  the 
cyber-czar  challenge 


38  The  Pirate  of  Prague 
Industry  View  A  handbag 
maker  is  convicted  under  the 
Foreign  Corrupt  Practices  Act 
Here’s  what  it  means  for  U.S. 
companies  doing  business 
overseas.  By  Gregory  A.  Paw 

40  Debriefing 
Quiz  Family  Matters 


CSO  (ISSN  1540-904X)  is  published  monthly  except  foracombined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path.P.O.  Box  9208,  Framingham,  MA  01701-9208.  Periodical  Postage  Rate  at 
Framingham,  MA  01701,  and  at  additional  mailingoffices.  Canadian  Publications  Mail  agreement  number  1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P,0,  Box  1632,  Windsor,  ON  N9A7C9.  Copyright  2009  by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearingin  CSO  isforbidden  withoutwritten  permission.  Permission  to  photocopy  for  internal  or  personal  useorthe  internal  or  personal  use  of  specific  clients  is  granted 
by  CSOfor  users  through  the  Copyright  Clearance  Center,  provided  that  afee  of  $3.50  per  copy  ofthearticle  is  paid  directly  to  CopyrightClearance  Center,  222  Rosewood  Drive,  Danvers,  MA  01970.  wwiv.copyrig/it.com.  Please  specify: 
ISSN  1540-904X.  Permission  to  photocopy  does  not  extend  to  contributed  articles-followed  by  thissymbohf:.  Address  inquiries  to  CSO.  P.O.Box  3482,  Northbrook,  IL  60065;  866  354-1125.  CSO  isfreetoqualified  security  executives. 
To  all  others  the  one-year  basic  rateis$70forthe  United  States  and  Canada,  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9  to  the  U.S.  and  Canadaand  $15  International.  Please  allow  four  to  six  weeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Goto  www.omeda.com/cust5rv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO,  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


2  www.csoonline.com  September  2009 


Cover  illustration  by  Nancy  Stahl 


10,239  employees 
207  doors 

15  restricted  areas 
8  elevators 


1  very  confident  ADT*  client 


iElMfi!  i-iillllODDllOlDlDlGOlDlOlDl 

iiDOlDDDllDDDOllDODlQlQQlDOpOiiJf:;  :''  .  -  ^iOOlOOl; 


ki 


Business 

Solutions 


::i:DlDaiDDDllD0110D10D01Qiaoe:M;: 
l-OiaillOlOllDllOOlOGailDlllOlDDDlDD  '  ''■  .1,,  .  -I IQOiaQOllDOl 

MOi;'  ■■  .:i:;J.01Di001010D0101Q101DlD101DlDa01111Dll 

"ninn  11.1001,1.1 


IllipPPflllljqilll 


:.  =  a01QlQllQlDlDll^  •'UOOlDlDOOlOlOiaiOlOlOlDiaQDllllDlOilQDlDll  .00101010X010X0 
lOOlOOlDDOllODllODlOCH  .  iMllODDDlODOaODlDO:  •  ■aiOlOlOlQlOlQiaiDDailllDlDllDDlOlQllOOlOlOlQlDiaiOlDlQllOlDllDlDllOlQlOllOOllOiOllDlA: 


ADT  Select  Managed  Access  Control?  Security  without  the  hassle. 

No  system  administration  concerns.  No  on-site  computers  or  expensive  software.  No  need  to 
backup  your  own  information.  ADT  Select  Managed  Access  Control  delivers  the  advanced  protection 
of  ADT  Electronic  Access  Control  within  your  parameters,  regardless  of  the  size  of  your  enterprise. 

•  24/7  administration 

•  Access  control  system  upgrades  and  backup 


Systems  on  redundant  servers  in  UL-certified  facilities 


Focus  on  managing  your  business,  and  let  ADT  manage  your  access. 

To  learn  more,  visit  ADTcom  or  call  888-700-4810.  Stop  by  ADT  Booth  #2700  at  the  ASIS  Expo. 


ADVANCED  ENCRYPTION  CENTRAL  DATA  HOSTING  ONLINE  MANAGEMENT  EASY  CUSTOMIZATION 

ADT  state  license  numbers  are  available  for  review  at  www.ADT.com  or  by  contacting  1-800-ADT-ASAP'.  ©2009  ADT  Security  Services,  Inc.  All  Rights  Reserved.  ADT,  the  ADT  logo,  ADT  Always  There  and  1  -800-ADT  A.S-'’  jie 
registered  trademarks  of  ADT  Services,  AG,  and  are  used  under  license. 


FROM  THE  EDITOR 


Time  to  Get 
Organized 

Ben  Kingsley:  There  I  ivas  in  prison.  And 
one  day  I  help  a  couple  of  older  gentlemen 
make  some  free  telephone  calls.  They 
turn  out  to  be,  let's  say,  good  family  men. 
Robert  Redford:  Organized  crime? 

Ben  Kingsley:  Don’t  kid  yourself.  It's  not 
that  organized. 

**** 

That’s  from  the  movie  Sneakers  in  1992, 
with  Ben  Kingsley’s  mob-connected  group 
running  cyber  misdeeds  on  a  big  stylish  Cray 
supercomputer.  Here  we  are,  17  years  later, 
staring  down  the  barrel  of  organized  crime 
that’s: 

1)  Loosely  connected  to  the  traditional  mob 
in  some  cases,  but  not  in  most  cases; 

2)  Even  less  organized  than  Kingsley’s 
depiction  of  the  traditional  mob; 

3)  Active  in  both  the  physical  and  digital 
worlds. 

This  issue  provides  an  in-depth  look  at 
organized  crime  in  both  worlds,  focusing  on 
retail  theft  and  on  identity  theft  markets. 

Think  there’s  no  part  being  played  by  the 
crime  families  of  yore?  Wrong.  The  Gambino 
family  is  accused  of  planting  an  employee  in  a 
Lowe’s  home  improvement  store  to  facilitate 
insider  theft.  The  Bonanno  family  allegedly 
masterminded  data  theft  from  Lexis-Nexis. 

Conversely,  think  The  Godfather  is  running 
the  whole  show?  This  assumption  is  even 
further  off-base.  Small,  nimble  groups  working 
in  loose  confederations-that’s  the  new  model 
that  accounts  for  the  lion’s  share  of  orga¬ 
nized  crime  activity.  One  set  of  groups  steals, 
another  collects  the  goods  for  distribution,  a 
third  filters  those  goods  into  flea  markets, 
online  auctions  or  grey  markets.  Catch  the 
shoplifter?  Plenty  of  others  can  step  up  to  fill 
the  void.  In  the  online  world,  somebody  writes 
malware  to  infect  computers,  someone  else 
manages  the  botnets  created  using  the  mal¬ 
ware,  a  third  party  rents  the  botnet  to  harvest 
identities,  a  fourth  group  uses  the  identities 
to  buy  real  goods.  Take  down  the  botnet  man¬ 
ager?  It’s  relatively  easy  for  the  other  groups 
to  find  a  replacement  service  provider. 

Think  this  is  not  for  the  CSO?  That  it’s 
really  law  enforcement’s  problem  to  solve? 


Strike  three.  In  fact,  this  is  the  most  damaging 
misconception  you  could  hold.  Your  company’s 
losses  to  organized  crime  will  continue  to 
mount  unless  you  pitch  in. 

The  first  step  is  to  dispense  with  ste¬ 
reotyped  views  of  the  challenge.  Michael 
Fitzgerald,  the  contributor  who  wrote  this 
special  report,  spoke  to  investigators,  CSOs, 
loss-prevention  experts  and  law  enforcement 
officials  to  provide  a  nuanced  understanding 
of  the  modern  tactics  of  organized  crime. 

The  second  step  is  to  improve  information 
sharing  among  the  good  guys  by  orders  of 
magnitude.  Sharing  of  incidents,  sharing  of 
bad-guy  tactics,  sharing  of  effective  practices. 
There  are  a  number  of  efforts  to  do  this.  That’s 
good.  Law  enforcement  as  a  concerted  entity 
is  as  much  a  work  of  fiction  as  is  The  Godfather. 


The  good  guys  have  to  work  much  like  the 
bad  guys:  smaller  groups,  loosely  affiliated, 
each  working  to  address  one  specialized  seg¬ 
ment  but  efficient  at  connecting  with  the 
other  groups. 

Yes,  by  all  means,  don’t  kid  yourself-it’s 
time  to  get  organized. 

-Derek  Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Senior  Editors 
Bill  Brenner,  Joan  Goodchild 
Copy  Editor 
Kristin  Burnham 
Editorial  Administrator 
Simone  Levien 
Contributors 

Mary  Brandel,  Michael  Fitzgerald, 
Gregg  Keizer,  Robert  Lemos, 
Gregory  A.  Paw,  Ariel  Silverstone 

DESIGN 

Executive  Director,  Art  and  Design 

Mary  Lester 

Art  Director  Steve  Traynor 


RESEARCH 

Research  Manager  Carolyn  Johnson 


TECHNICAL  ADVISORY  BOARD 

Jason  Cowling 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 
Richard  Power,  Carnegie  Mellon  CyLab 


EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 


492  Old  Connecticut  Path, 

P.O.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 


INTERNATIONAL  DATA  GROUP 


Chairman  of  the  Board 

Patrick  J.  McGovern 


IDG  COMMUNICATIONS,  INC. 

CEO  Bob  Carrigan 
Chief  Content  Officer 
John  Gallant 


#BPA 


WORLDWIDE' 


«  wvi'w.csoonline.com  September  2009 


Photo  by  Webb  Chappell 


EXECUTIVE 

VIEWPOINT 


ADVERTORIAL 


Identity  Fraud  Rising: 

Today's  Tough  Economy  Calls 
for  Tough  Access  Control 


Grant  Evans,  chief  executive  officer  and  chairman  of  the 

BOARD  OF  DIRECTORS,  ACTIVIDENTITY  CORPORATION 

Grant  Evans  is  a  22-year  veteran  of  the  identity  security  market  with 
experience  ranging  from  startups  to  multi-hundred  miliion  dollar  companies. 


A  turbulent  economy  brings  many  seciority 
challenges— from  increased  identity  fraud 
and  insider  threats  to  heightened  oversight. 
CEO  Grant  Evans  of  Fremont,  CaJif  .-based 
Actividentity,  shares  his  thoughts  on  the 
growing  need  for  strong  authentication  and 
credential  management. 

How  has  the  financial  crisis  and 
recession  impacted  identity  fraud? 

All  forms  of  identity  fraud  have  risen 
dramatically.  One  analyst  estimates  online 
identity  theft  in  the  U.S.  has  jumped  from 
37  percent  to  68  percent.  Historically,  U.S. 
financial  institutions  have  mitigated  fraud 
risk  by  relying  on  insurance  policies  and 
offered  consumers  reimbursements  rather 
than  deploy  strong  authentication  tech¬ 
nology.  That  lack  of  access  control  gives 
hackers  and  identity  thieves  the  perfect  en¬ 
vironment  for  their  crimes.  Now,  though, 
many  financial  organizations  are  imple¬ 
menting  strong  authentication  methods  to 
address  fraud  loss,  strengthen  compliance, 
and  to  gain  competitive  advantage. 

What  else  do  CSOs  need  to  think 
about  in  a  challenging  economy? 

There  are  two  other  issues  that  point  to 
the  need  for  strong  authentication  and 
credential  management  systems.  First,  in 
conjunction  with  a  credential  manage¬ 
ment  system,  strong  authentication  can 
protect  the  organization  against  danger¬ 
ous  insider  threats— namely  disgruntled 
ex-employees— during  a  time  when  mas¬ 
sive  layoffs  seem  to  occur  daily.  Second, 
with  increasing  oversight,  strong  authenti¬ 


cation  allows  you  to  define,  track,  monitor, 
and  report  on  who  has  access  to  what  and 
when;  thus  reducing  the  time  and  cost  as¬ 
sociated  with  audit  compliance. 

Has  Actividentity's  approach  to  new 
technology  offerings  changed  as  a 
result  of  the  economy? 

Yes  it  has.  Given  today’s  cost  pressures, 
Actividentity  is  pursuing  strategies  that 
enable  organizations  to  more  affordably 
thwart  security  threats  and  identity  fraud. 
We  are  partnering  with  managed  service 
providers  that  will  offer  our  security  solu¬ 
tions  to  enable  strong  authentication  and 
credential  management  services  “in  the 
cloud.”  We  are  also  taking  advantage  of 
mobile  phones  as  authentication  devices— 
instead  of  issuing  badges— to  provide 
greater  user  convenience  and  jump-start 
security  initiatives  with  a  lower  TCO. 

What  role  does  regulation  play  in 
strong  authentication? 

Regulatory  compliance  is  a  major  driver 
in  the  adoption  of  strong  authentication 
across  many  industries.  For  example,  with 
legislation  like  the  Homeland  Security 
Presidential  Directive  12,  strong  authen¬ 
tication  and  credential  management  sys¬ 
tems  allow  government  agencies  to  issue, 
use  and  manage  Personal  Identity  Veri¬ 
fication  (PIV)  cards  in  compliance  with 
the  FIPS  201  standard.  Similarly,  many 
large  enterprises  take  advantage  of  strong 
authentication  to  document  access  to  sen¬ 
sitive  data  or  applications  for  compliance 
with  the  Sarbanes- Oxley  Act. 


How  are  you  safeguarding  your  own 
company  from  identity  fraud? 

We  deploy  our  own  solutions  to  secure  our 
FT  infrastructure  and  adhere  to  best  prac¬ 
tices  for  identity  and  access  management. 
Our  employees  wear  badges  that  contain 
their  personal  information  and  identity- 
based  access  credentials  in  a  smart  card 
chip.  Those  badges  are  used  to  open  doors, 
log  into  computers,  and  access  the  VPN  en¬ 
vironment  and  business  applications— aU 
of  which  helps  us  defend  against  security 
threats  and  identity  fraud. 

What  advice  would  you  give  CSOs 
as  they  contemplate  their  identity 
challenges? 

When  it  comes  to  implementing  strong 
authentication  and  a  credential  man¬ 
agement  system,  CSOs  should  consider 
the  following;  First,  evaluate  and  select 
authentication  methods  that  are  most  ap¬ 
propriate  for  one  or  more  use  cases  across 
different  user  communities.  Second,  be 
sure  to  think  about  future  use  cases  and 
user  communities.  Finally,  migrate  toward 
a  broad-portfolio  vendor  that  provides  a 
single  authentication  infrastructure  while 
supporting  all  necessary  methods. 


FOR  MORE  INFORMATION: 

Check  out  the  white  paper  "Understanding  Versatile 
Authentication  and  its  Benefits"  at 
www.csoonline.com/whitepapers/actividentity 

ACTIV  0  ENTITY” 


cso 

Custom  Solutions  Group 


[  FROM  THE  PUBLISHER  ] 


Tweet  TVveet 


I’m  getting  the  sense  that  there  is  a  problem 
brewing  out  there  in  corporate  land.  I’ve 
had  the  good  fortune  to  spend  the  past 
eight  months  travelling  North  America  and 
listening  to  the  concerns  and  challenges  of 
CSOs-nearly  300  of  you.  One  topic  seems  to 
keep  creeping  into  the  conversations:  social 
networking. 

It’s  an  interesting  challenge  that  I  doubt 
many  of  you  saw  coming  two  years  ago. 
MySpace  was  one  thing,  but  Facebook,  Twitter, 
Linkedin  and  others  have  raced  onto  the  scene 
and  gained  unbelievable  levels  of  user  adop¬ 
tion  among  your  employees.  I’ll  be  the  first 
to  admit  that  I  am  a  big  Facebook  user.  I  also 
used  Linkedin.  I’m  on  Twitter  (but  I  don’t  do 
too  much  with  it...  yet).  What  are  the  concerns? 
I  think  initially  we  all  thought  it  would  be  about 
productivity  as  we  envisioned  our  workers 
tweeting  away  from  their  desks  for  hours  on 
end.  To  a  certain  degree  that  is  accurate,  but 
the  real  risks  are  so  much  greater. 

Employees,  probably  unknowingly,  are 
giving  away  unbelievable  amounts  of  intel¬ 
ligence  about  what  your  businesses  are  doing, 
how  they  are  doing  it,  even  why  they’re  doing 
it.  By  following  the  employee  of  a  competitor 
on  Twitter  or  befriending  them  on  Facebook, 
you  can  easily  monitor  their  travels  or  read 
about  their  ups  and  downs  at  work.  I  have  a 
friend  on  Facebook  who  works  for  a  venture 
capital  firm  who  is  constantly  updating  his 
status  on  Facebook  and  Twitter  with  his  latest 
travails  checking  out  investment  opportunities 
for  his  firm.  I  wish  I  had  my  own  VC  firm  and 
I’d  be  scooping  him  left  and  right.  I’m  sure  he 
hasn’t  considered  this.  As  CSOs,  I  hope  you 
are  thinking  about  what  this  means  to  your 
organizations. 

At  a  conference  C50  held  last  winter  in 
Chicago,  one  of  the  speakers  shared  his 
concerns  about  the  risks  posed  by  his  “VPs 
who  are  constantly  tweeting  away”  about  this 
and  that,  including  their  travels  to  other  parts 


of  the  world.  He’s  just  waiting  for  one  of  them 
to  get  kidnapped  when  you  give  that  much 
information  away,  which  is  exactly  the  type  of 
thing  that  might  happen.  (In  this  regard,  you 
might  recall  the  back  page  from  the  May  issue, 
“The  Final  5  Tweets  of  Harold  Wigginbottom, 
Tech-Savvy  CEO”-see  www.csoonline.com/ 
article/493507.) 

I  haven’t  even  mentioned  the  risks  from 
malware  exploiting  social  networks  to  infil¬ 
trate  the  enterprise. 

The  challenges  posed  by  social  networking 
risks  are  not  insurmountable,  but  they  must  be 
addressed  through  policy  and  technology.  Use 
policies  that  govern  the  use  of  social  networks 
by  your  employees  and  explain  to  them  what 
the  risks  are.  Use  technology  to  monitor  and 
enforce  those  policies.  If  you  find  something 


that  works,  post  it  up  on  Facebook  so  we  can 
all  benefit  from  your  success.  Then  again... 

-Bob  Bragdon,  bbragdon@cxo.com 


Advertiser  index 

3M . C4 

Actividentity  Inc . 5 

APT  Security  Services,  Inc . 3 

CAInc . 12a.  13,27 


CSO . 39 

Edgile.Inc . 23 

HID  Corp . 21 

IBM  Corp . C2 

ISACA . 8 


Lumension . 7 

nCircle . 19 

PhoneFactor . C3 

RSA  Security . 15,17 

Tripwire  Inc . 11 


Group  Publisher  Bob  Melk 
Publisher  Bob  Bragdon 
Senior  National  Sales  Manager 
Per  Melker 

East  Coast  Regional  Sales  Manager 
Roz  Burke 

West  Coast  Regional  Sales  Manager 
Michelle  McHugb 
Sales  Associate 
Sarab  Nadeau 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

SVP,  Online  Sales  &  Ops 
Gregg  Pinsky 
VP,  Online  Sales 
Brian  Glynn 

East  Coast  Online  Regional 
Sales  Manager 
Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager 
Erika  Karr 

Central  Online  Regional 
Sales  Manager 
Stacy  Bryne 

Manager,  Online  Account  Services 
Danielle  Tetreault 

Online  Account  Services  Specialists 
Jennifer  Malkasian,  Elise  Ryan, 
Tara  Shea 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Charles  Lee 
National  Sales  Directors 
Adam  Dennison,  Tom  Grimshaw, 
Karen  Wilde 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

EXECUTIVE  PROGRAMS 

SVP,  Executive  Programs 
Ellen  Daly 

Vice  President,  Event  Marketing 
Michael  Garity 

Sr.  Director,  Event  Operations 
Deb  Begreen 

VP,  Content  Development  &  Events 
Derek  Hulitzky 

MARKETING 

Vice  President,  Marketing 
Sue  Yanovitch 

Sr.  Marketing  &  PR  Specialist 
Lynn  Holmiund 

LIST  SERVICES 

Contact  Steve  Tozeski  of 
IDG  List  Services  at  508  820-8106  or 
stozeski@idgrist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460  ext.  129, 
csoiStheYgsgroup.com 


6  www.csoonline.com  September  2009 


Photo  by  Christopher  Navin 


/Automated  Compliance 
Workflow 


Integrated  Unified  Compliance 
Framework*:  PCI,  HIPAA,  FISMA;  SOX, 
ISO  27002  and  More 


Identify  and  Focus 
I  ^l^on jtiJRisk  '  ^ 
[that  Matters  Most 


Lumension’ 

IT  Secured.  Success  Optimized."' 


COMPLIANCE  and  IT  RISK  MANAGEMENT:  Achieving  compliance 
is  no  easy  task.  Passing  an  audit  is  just  as  tough. 

But  the  price  of  failure  is  substantial,  disrupting  your  business  and  creating 


Find  your  way  down  the  audit  trail  and  download  Lumension’s 
FREE  Whitepaper  on  Five  Ways  to  Reduce  Your  IT  Audit  Tax  at 
www.lumension.com/security-tip-30 

1.888.725.7828 

•The  Untfted  CompliatKe  Framework  (UCF)  i$  a  trademark  of  Network  Frontiers.  LLC. 


operational  inefficiencies  that  impact  your  bottom  line.  Lumension*  Compliance 
and  IT  Risk  Management  helps  you  reduce  your  overall  cost  of  compliance  by 
streamlining  the  audit  process,  unifying  the  controls  and  compliance  frameworks 
and  automating  the  IT  Risk  assessment  process. 

Vulnerability  Management  |  Endpoint  Protection  |  Data  Protection  |  Compliancp IT  Risk  Managemer 


Being  a  CISA®  CISM® and/or  CGEIT®: 

>  Counts  in  the  hiring  process. 

>  Enhances  your  credibility  and  recognition. 

>  Boosts  your  earning  potential. 


Secure  Your  Career:  Get  Certified. 

Visit  www.isaca.org/csomag. 


-fisacA 

Serving  IT  Governance  Professionals 


ISACAXertifications 

ISACA  certifications  increase  your  vaiue 
to  employers  and  clients. 


AWARDS 

2009 


WINNER 


Honored  in  the  U.S 


CISA  wins  SC  Magazine  s 
Best  Professional 
Certification 


CISM  named  finalist 
for  SC  Magazine's  Best 
Certification  Program 


“[Susan  Smith ’s]  eyes  were  up  to  her  left,  then  down  to  the  right. 
That’s  when  I  knew  she  knew  exactly  where  her  children  were.” 


Edited  by  Bill  Brenner 


Trojan  Clampi  Spreads  via  Windows  Networks 


The  malicious  program 
designed  to  steal  user  names 
and  passwords  can  clog 
up  corporate  networks 


n  advanced  piece  of  malicious  code 
designed  to  steal  user  names  and  pass¬ 
words  to  financial  accounts  is  causing 
i  headaches  for  corporations,  security 
researchers  say. 

The  Trojan  horse,  commonly  called  Clampi 
but  also  known  as  Ligats  and  Homo,  was 
first  seen  at  the  end  of  2007,  and  typically  is 
copied  onto  the  systems  of  users  that  browse 
compromised  websites.  However  since  the 
beginning  of  July,  security  firms  have  seen  it 
spread  much  more  quickly,  taking  over  hun¬ 
dreds  of  thousands  of  computers,  according  to 
Joe  Stewart,  director  of  malware  research  for 
security  firm  SecureWorks. 

The  reason  for  the  recent  jump  in 
infections?  Clampi  uses  the  adminis¬ 
trator  account  for  Windows  domains 
and  the  PSEXEC  function  to  spread  to 
all  the  computers  in  a  given  network. 

“PSEXEC  sometimes  gets  a  thousand 
infections  for  the  price  of  one,"  Stew¬ 
art  says.  Once  a  computer  is  infected, 

Clampi  will  steal  the  log-in  credentials 
for  the  websites  of  approximately 
4,600  financial  institution  and  busi¬ 
nesses  in  70  different  counties.  Each 
time  the  victim  logs  in  to  one  of  the 
sites  from  Clampi’s  internal  list,  the 
program  will  log  the  user’s  name  and 
password.  Because  the  Trojan  uses 
a  simple  but  effective  encryption 
mechanism  to  hide  the  names  of  the 
sites,  Stewart  scrambled  a  list  of  the 


top  one-million  domains  in  a  like  manner  and 
identified  about  1,400  of  the  sites.  Among  the 
sites  are  advertising  networks,  utilities,  online 
gambling  sites  and  job  sites. 

“They  are  not  just  going  after  banks,  they 
are  not  just  going  after  stock  brokers,  they 
are  going  after  any  financial  or  sensitive 
information,”  Stewart  says. 

For  users,  the  worst  part  of 
Clampi  is  its  ability  to  steal  the 
credentials  used  in  financial  and 
other  sensitive  accounts.  For 
companies,  however,  dealing 
with  the  spread  of  the  program 
can  be  a  nightmare.  Since  the  beginning  of  July, 
Symantec  has  seen  an  increase  in  the  number 
of  Clampi  infections,  the  company  stated  in 
an  advisory  on  the  threat.  “For  a  large-scale 
infection  like  this,  you  are  limited  in  what  you 
can  do  to  cure  it,"  stated  one  enterprise  IT 


administrator  on  Symantec’s  Endpoint  Protec¬ 
tion  Forum.  “Honestly,  if  no  specific  antivirus 
can  get  to  it,  you  will  have  to  go  about  it  the 
old-fashioned  way-starting  with  your  domain 
controllers  [and]  servers.  Everything  that  has 
an  OS  service  running  must  be  shut  down. 

I  mean  every  machine,  mission  critical, 
mail,  file  server,  everything 
shutdown.” 

Companies  cannot  ignore 
the  Trojan’s  ability  to  steal 
log-in  credentials,  either.  One 
company,  an  auto  parts  provider, 
lost  $75,000  after  a  key  computer 
was  compromised,  according  to  an  article  in 
The  Washington  Post. 

Once  it  compromises  a  computer,  Clampi 
uses  a  modular  system  of  dynamically  linked 
libraries  to  extend  its  functionality,  adding 
components  to  steal  saved  passwords,  log 

HTTP  requests  to  websites,  spread  via 
PSEXEC  and  insert  fake  information 
into  website  log-in  pages  to  cause 
banks  to  ask  for  additional  information, 
such  as  the  answers  to  the  victim’s 
secret  questions. 

Cracking  the  network  of  compro¬ 
mised  computers  has  been  difficult, 
according  to  SecureWorks’  Stewart. 

The  botnet  created  by  the  Trojan-horse 
program  uses  multiple  proxies  to  hide 
the  final  destination  of  the  data.  The 
program  also  uses  448-bit  Blowfish 
encryption  to  communicate  with  the 
command-and-control  servers.  “It’s 
a  tiered  arrangement,"  Stewart  says. 
“To  find  the  controller,  you  have  to  be 
able  to  get  through  all  the  machines  in 
between."  -Robert  Lemos 


Photo  by  iStockphoto 


September  2009  www.csoonline.com  9 


>>  BRIEFING 


BY  THE  NUMBERS 

$704,610 

Amount  of  money 
attackers  siphoned 
out  of  bank  accounts 
belonging  to  the 
Western  Beaver 
County  School  District 
earlier  this  year 


11 


Number  of 

vulnerabilities  fixed  in 
Firefox  3.0  in  late  July 


10 


Number  of  Firefox 
flaws  that  were 
considered  critical 


4 


Approximate  number 
of  months  remaining 
until  Mozilla  kills  off 
Firefox  3.0  and  forces 
users  onto  version  3.5 


9 


Number  of  security 
patches  Microsoft 
released  in  August 


300 


Number  of 
companies  attacked 
by  the  same  malware 
that  enabled  the  data 
security  breach  at 
Heartland  Payment 
Systems  (according 
to  Heartland  CEO 
Robert  Carr) 


■tm. 


< ,  Susan  and  David  Smitb  address 

^  reporters  on  Noy.  2, 1994,  pleading 
for  the  safe  return  of  their  sons, 
i4-month*old  Alex  and  Mtchaei, 
f  3,  Who  had  been  missing  since  an 
alleged  car-jack-kidnapping  over  a 
week  earlier. 


INVESTIGATIONS 

4  WAYS  TO  CATCH  A  LIAR 


Most  people  lie,  whether  they’re  covering 
up  something  sinister  or  just  embar¬ 
rassed  over  a  mistake.  Research  con¬ 
ducted  a  few  years  ago  at  the  University 
of  Massachusetts  found  that  60  percent  of  par¬ 
ticipants  lied  at  least  once  during  an  observed 
10-minute  conversation.  If  you’re  trying  to  get  to 
the  bottom  of  a  work  incident  or  just  asking  the 
kids  who  broke  the  TV,  it’s  useful  to  know  how  to 
spot  a  lie. 

Body  language  expert  and  human  behavior 
specialist  Carolyn  Finch,  who  served  as  a  con¬ 
sultant  and  analyst  for  media  outlets  during  the 
O.J.  Simpson  trial,  has  appeared  on  CNBC  News 
and  The  Ellen  DeGeneres  Show.  Here,  Finch  gives 
a  rundown  of  the  hallmark  physical  signs  people 
display  when  they  are  trying  to  put  one  over  on 
you  (watch  the  video  for  Carolyn’s  analysis  and 
her  recall  of  famous  cases  of  alleged  lying  at 
www.csoonline.com/article/498057). 

These  signs  don’t  guarantee  that  lying  is  in 
progress,  but  they’re  valuable  clues  to  recognize. 

Tense  facial  expressions.  When  people  lie, 
says  Finch,  they  tend  to  smile  with  only  the  lower 
muscles  in  their  face.  A  liar  might  try  to  fake  a 
smile  to  look  genuine  or  at  ease.  But  a  real  smile 
uses  the  entire  face,  including  the  eyes. 

Hesitant  speech  and  pausing.  A  liar  will 
speak  hesitantly,  according  to  Finch,  and  often 
pauses  frequently  when  answering  a  question.  A 
liar  might  also  repeat  words  or  stutter,  she  says. 

“A  person  who  is  pausing  is  thinking,”  says 
Finch.  “The  eyes  go  up  and  around  and  down  to 
think  about  what  they  are  going  to  say  next." 

A  liar  might  also  place  a  finger  in  front  of 
their  mouth,  as  if  contemplating,  when  they  are 
about  to  say  something  that  is  untrue. 

Nervous  behavior  and  overemphasis. 
Other  face  touches  might  include  nose  rubbing 


or  touching  underneath  the  nose,  all  indicators 
the  person  is  uncomfortable.  And  watch  hands 
closely  for  hyperactive  gesturing  or  shaking, 
which  are  easy  ways  to  spot  nervousness. 

Finch  says  Bill  Clinton’s  now-famous 
statement  in  1998  about  his  relationship  with 
Monica  Lewinsky  is  an  example  of  this  kind  of 
overemphasis.  Clinton,  who  later  admitted  to  an 
inappropriate  relationship  with  the  White  House 
intern,  initially  told  the  public:  “I  did  not  have 
sexual  relations  with  that  woman,  Ms.  Lewinsky.” 

Finch  says:  “This  [Clinton’s  hand  gestures] 
is  making  a  very  sarcastic  point.  [He’s  saying] 

‘Do  you  hear  me?  Do  you  hear  me?’  It’s  almost  a 
sarcastic,  sharp  point  saying,  ‘OK,  what’s  matter 
with  you  people?’  This  was  accompanied  with 
a  lot  blinking,  much  more  than  ordinarily  seen 
with  Bill  Clinton.” 

Lack  of  eye  contact  or  shifty  eyes.  Liars 
will  sometimes  avoid  making  eye  contact,  but 
these  days,  many  know  that  eye  contact  has 
become  a  well-known  indicator.  It’s  a  poor  sign, 
says  Finch,  because  liars  will  make  a  concerted 
effort  to  keep  your  gaze  so  as  not  to  arouse  sus¬ 
picion.  However,  Finch  advises  studying  where 
there  eyes  go  if,  and  when,  they  do  break  gaze. 

Finch  says  she  immediately  recognized  that 
Susan  Smith,  who  was  convicted  of  drowning 
her  two  children  in  1994,  was  lying  during  a  TV 
interview.  Before  Smith  was  charged  with  the 
crime,  she  told  police  and  the  media  that  her 
children  were  abducted  and  that  she  didn’t  know 
where  they  were. 

“With  Susan  Smith,  I  looked  at  her  eyes  and 
knew.  Her  eyes  were  up  to  her  left.  She  was  visu¬ 
alizing  what  had  happened.  Then  she  was  down 
to  the  right.  That’s  when  I  knew  she  knew  exactly 
where  her  children  were.” 

-Joan  Goodchild 


lO  www.csoonline.com  September  2009 


Photo  by  AP/Wide  World  Photos 


EXECUTIVE 

VIEWPOINT 


Too  often,  companies  consider  compli¬ 
ance  a  check-box  project  rather  than  a 
strategic  process.  They  gather  their  teams 
in  a  frenzy  to  meet  on-the-spot  audit 
requirements  rather  than  inteUigently 
integrating  comphance  into  their  overall 
enterprise  security  strategy.  This  is  a  criti¬ 
cal  and  costly  error,  says  Gene  Kim,  CTO 
for  Tripwire.  Read  on  for  more  compelling 
insight  into  how  companies  can  avoid  this 
pitfall  through  automation  and  continu¬ 
ous  comphance. 


There's  a  common  misconception  that 
security  and  compliance  are  one  and 
the  same.  How  are  they  different? 

I  view  compliance  as  an  outcome  of 
good  information  security.  When  you're 
secure,  compliance  is  not  a  major  capital 
project  that  requires  you  to  do  a  lot  of 
things  differently.  Instead,  it  is  more  of  a 
reporting  function.  Security,  by  defini¬ 
tion,  involves  safeguarding  confidential 
information,  protecting  against  fraud, 
and  ensuring  that  systems  are  available  so 
you  can  generate  revenue  and  trust  that 
your  controls  are  effective.  When  you  do 
this,  you  fulfill  the  spirit  and  intent  of  all 
major  regulatory  and  industry  compli¬ 
ance  requirements,  such  as  the  Payment 
Card  Industry’s  Data  Security  Standard 
and  Section  404  of  the  Sarbanes- Oxley 
Act  of  2002. 


What  is  the  state  of  compliance  today? 

Many  [companies]  are  still  focused  on 
“checking  all  the  boxes”  for  each  specific 
regulatory  and  contractual  standard, 
rather  than  addressing  the  underlying 


ADVERTORIAL 


A  Holistic  Approach 
to  Compliance 

Tripwire  helps  companies  reduce  risk  and  meet 
standards  requirements  using  strategic  processes 

Gene  Kim,  co-founder  and  chief  technology  officer,  tripwire  inc. 

Kim  is  co-founder  of  Tripwire  and  the  IT  Process  Institute.  He  is  also  co-author 
of  two  renowned  books.  The  Visible  Ops  Handbook  and  The  Security  Visible 
Ops  Handbook,  codifying  how  to  successfully  transform  IT  organizations  from 
"good  to  great." 


and  foundational  security  processes  and 
controls  that  are  m  all  the  major  comph¬ 
ance  standards.  Often,  they  are  generating 
massive  amounts  of  paperwork  to  create 
the  Illusion  of  a  secure  system  for  auditors. 
But  when  the  auditor  leaves,  they  undo 
everything  because  that’s  not  how  the  or¬ 
ganization  actually  does  daily  operations. 

What  should  be  happening? 

Comphance  must  be  looked  at  as  a  process 
as  opposed  to  a  one-time  project.  When 
it’s  a  project,  you’re  always  scrambling  for 
the  next  audit  and  wiU  often  spend  about 
the  same  amount  of  work  in  each  audit 
cycle.  But  when  comphance  is  a  process, 
you  Integrate  it  into  your  dally  operations, 
and  comphance  becomes  a  task,  not  a 
major  project  that  requires  heroics.  This 
requires  automating  the  process  of  testing 
controls,  which  is  good  from  a  manpower 
and  rehabhity  standpoint. 

Explain  "continuous  compliance." 

There  are  five  things  that  are  required  to 
have  a  trustworthy  continuous  comph¬ 
ance  process.  You  have  to  know  what 
comphance  standards  you  are  responsible 
for  meeting;  the  business  and  IT  risks  that 
jeopardize  meeting  those  standards  with¬ 
in  your  organization,  such  as  unauthor¬ 
ized  access,  and  unauthorized  configura¬ 
tions  and  changes;  where  the  controls  for 
those  potential  risks  live  in  the  network; 
how  to  test  those  controls;  and  finally,  how 
to  monitor  and  report  on  them  for  effec¬ 
tiveness.  If  you  don’t  automate  the  testing 
and  reporting  of  IT  controls,  you’ll  have 
to  do  things  like  log  into  each  system  and 


manually  check  accounts,  check  configu¬ 
rations,  justify  changes  and  so  forth.  This 
approach  is  extremely  labor-intensive. 
Also,  if  you’re  not  doing  continuous  com¬ 
pliance  through  automation,  then  you’re 
leaving  a  window  of  vulnerability  open 
where  unauthorized  access  and  changes 
can  occur.  This  is  bad  for  security  and 
certainly  for  compliance. 

Are  there  any  other  benefits  to 
continuous  compliance? 

Definitely.  It  makes  you  far  more  agde  as 
an  organization  because  once  you  have  a 
known  secure  state,  then  you  can  reduce 
that  risk  by  setting  pohcies  and  monitor¬ 
ing  privileged  accounts  for  unauthorized 
adds,  moves  and  changes.  There  are  essen¬ 
tially  three  levels  of  value  around  controls: 
integrating  controls  to  advance  comph¬ 
ance  objectives,  security  objectives  and 
operational  objectives.  The  higher  you  go 
up  the  stack,  the  more  value  you  get  out  of 
controls,  but  the  business  value  goes  up 
and  compliance  effort  goes  down.  That’s 
something  that  every  organization  should 
be  aspiring  towards. 


FOR  MORE  INFORMATION 
Check  out  "Beyond  PCI  Checklists: 

Securing  Cardhoider  Data  with  Enhanced 
Fiie  Integrity  Monitoring"  at  www.cio.com/ 
whitepapers/tripwire_PCl 

ijJljJJjQ 

CSO 

Custom  Solutions  Group 


>>  BRIEFING 


similarities  to  the  distributed  denial-of- 
service  (DDoS)  attacks  that  hammered  U.S. 
government  and  South  Korean  commercial 
sites  in  early  July. 

Those  attacks,  at  one  point  thought  to 
originate  from  North  Korea,  were  unfocused, 
had  no  noticeable  political  agenda  and  most 
important,  ended  with  the  botnet  control¬ 
ler  ordering  the  machines  to  self-destruct 
by  wiping  their  hard  drives.  “Who  builds  a 
botnet,  then  destroys  it?”  Thompson  asks. 
“That’s  just  crazy." 

In  fact,  Thompson  says  he  believed  the 
Twitter  hacker  was  the  same  person  who  ran 
the  U.S./South  Korea  DDoS  almost  exactly  a 
month  ago.  “No  one  profits  from  DDoS-ing 
Twitter,”  he  says.  “The  only  possible  explana¬ 
tion  is  that  someone  wanted  to  make  people 
think  about  something,  and  I  think  that 
something  is  botnets.  Botnets  are  a  very  big 
problem,  but  no  one  does  anything  about 
them,”  he  says. 

Both  Stiennon  and  Thompson  used  the 
word  “easy”  to  describe  the  kind  of  DDoS 
attack  required  to  successfully  attack  Twit¬ 
ter  and  other  websites.  “It  wouldn’t  take  a 
real  big  botnet,”  says  Thompson.  One  with 
20,000  to  30,000  bots  could  have  spoiled 
Twitter’s  day.” 

A  different  theory  was  that  the  attacks 
were  directed  against  one  individual,  a 
pro-Georgian  blogger  identified  only  as 
“Cyxymu,”  who  had  accounts  on  Facebook, 
Twitter,  LiveJournal  and  Google’s  Blogger 
and  YouTube. 

One  thing  security  researchers  seemed 
to  agree  on  was  that  Twitter  needs  to  bolster 
its  Web  infrastructure  or  it  will  invite  further 
attacks. 

-Gregg  Keizer,  Computerworld 


SOCIAL  NETWORKING 


Security  experts  scramble 
to  decipher  Twitter  attack 


Security  analysts  scrambled  to  find  a 
motive  behind  the  distributed  denial- 
of-service  attacks  that  brought  down 
Twitter  for  several  hours  and  also 
hit  Facebook,  Google  and  LiveJournal  last 
month. 

With  little  information  to  go  on,  research¬ 
ers  ended  up  speculating  on  who  launched 
the  attacks  and  why,  although  several 
agreed  that  Twitter’s  infrastructure  needed 
immediate  strengthening. 

“If  you  monitor  the  hacking  forums,  it’s 
clear  they’re  pissed  at  Twitter,”  says  Richard 
Stiennon,  founder  of  IT-Flarvest,  a  security 
research  firm.  “Twitter  came  out  of  nowhere. 
Flackers  hated  that.  They’d  been  using 
forums  and  IRC  to  communicate,  and  all  of  a 
sudden,  the  rest  of  the  world  has  their  own 
thing  in  Twitter.” 

To  Stiennon’s  thinking,  the  rise  of 
Twitter-and  the  backlash  against  it-resem- 
bles  the  situation  in  the  1990s  when  AOL 
rose  to  prominence,  but  tech-savvy  users 
denigrated  it  as  little  more  than  a  glorified 
bulletin  board  system.  “It’s  the  same  thing 
now,”  Stiennon  says.  “They  look  at  Twitter 
and  think,  ‘there  goes  the  neighborhood.’  So 
they  wanted  to  demonstrate  that  they  could 
take  it  down  and  generate  news  at  the  same 
time.” 

Roger  Thompson,  chief  research  officer 
at  AVG  Technologies,  has  a  different  idea. 

“I  think  it  was  a  vigilante,”  he  says,  “who 
wants  to  call  attention  to  the  danger  of 
botnets.” 

Thompson’s  theory  posits  that  the 
vigilante-perhaps  a  security  professional- 
assembled  a  small  botnet,  then  aimed  it 
at  Twitter  and  Facebook,  which  was  also 
attacked.  Fie  based  his  idea  on  several 


Security 

Wisdom 

Watch 

A  look  at  people  and  things 
impacting  security-for  better 
or  worse-in  the  last  month 


THUMBS  BOTH  WAYS:  Micro- 
soft.  The  software  giant  had 
a  brutal  summer  chas¬ 
ing  down  high-profile 
security  holes,  includ¬ 
ing  one  that  emerged 
from  Black  Hat/Defcon. 
The  headlines  were  ugly,  but  not 
nearly  as  bad  as  the  kind  of  attention 
the  company  used  to  get  in  the  days 
of  Slammer,  Blaster  and  Sasser. 


®  THUMBS  DOWN:  Twitter.  The 
site  was  knocked  down  for 
several  hours  last  month  by 
one  or  more  hackers,  forcing 
tweet  addicts  to  find  something 
else  to  do.  It  was  a  wake-up  call  for 
Twitter  to  throw  up  some  armor. 


THUMBS  DOWN:  White  House 
I cybersecurity  position.  When 
President  Obama  announced 
in  May  that  he  was  establish¬ 
ing  a  White  House  office  for 
cybersecurity,  the  news  was 
welcomed  as  a  sign  of  the  administra¬ 
tion  finally  recognizing  cyberthreats 
as  a  national  security  issue.  But 
in  August,  the  position  remained 
unfilled,  and  with  the  resignation 
of  the  acting  cybersecurity  chief,  it 
seemed  like  it  was  a  job  nobody 
wanted.  One  reason:  a  perceived  lack 
of  clout  for  the  would-be  office  holder. 

THUMBS  BOTH  WAYS:  Fast- 
^  food  drive-thru  displays.  A 

researcher  finds  a  possible 
hole  in  how  displays  are 
wired  to  the  rest  of  the 
network.  But  there’s 
p  little  consensus  over 
the  size  and  scope  of 
the  threat.  -Bill  Brenner 


The  Day 
a  Hacker 
Made  Twitter 
Go  Away 


13  www.csoonline.com  September  2009 


Illustration  by  istockphoto 


Verbatim... 

“The  audits 

done  by  our  qualified  security 
assessors  were  of  no  value  whatsoever.  The 

"Ifl 

can  get  a  hold  of 
their  credentials  then 
lean  have  some  fun.” 

Robert  West,  former  chief 
information  security  officer  at 
Fifth  Third  Bank,  on  how  he 
could  exploitthe  widely  used  but 
obscure  Automated  Clearing 
House  (ACH)  Network  to 
empty  out  other  people’s 
bank  accounts 

QSAS  In  our  shop  didn't  even  know  this  was  a  common 
attack  vector  being  used  against  other  companies.  We 
learned  that  300  other  companies  had  been  attacked  by 
the  same  malware.  1  thought,  ‘you've  got  to  be  kidding  me.' 

That  people  would  know  the  exact  attack  vector  and  not 
tell  major  players  in  the  industry  is  unthinkable  to  me.” 

-Heartland  Payment  Systems  CEO  Robert  Carr  on  how  compliance 
auditors  were  of  little  help  in  preventing  the  massive  data 
breach  the  company  ultimately  suffered 

NEED  MORE  SPCyRim 
BETTER  SECyRiTY. 


CA  Security  Management  software  streamlines  your  IT  security  environment  so  your  business 
;  can  be  more  secure,  agile  and  compliant  without  upsizing  your  infrastructure.  All  with  faster  time 

V:,\-  I ' 

to  value.  Greater  efficiency  starts  with  more  efficient  IT.  That's  the  power  of  lean. 


fern  more  at  ca.com/security/value 

CopV^®i02OO9  CA.  All  rights  reserved. 


Verbatim... 


"The  position 
just  isn’t  high  enough  in 
the  White  House  food  chain  to 
attract  the  most  qualified  people.” 

-Tom  Kellerman,  vice  president  of  security  awareness 
at  Core  Security  Technologies,  on  why  it’s  taking 
so  long  for  President  Obama  to  put  a  new 
cybersecurity  coordinator  in  place 


"If  you  monitor  the  hacking 
forums,  it’s  clear  they’re  pissed 
at  Twitter.  Twitter  came  out  of  nowhere. 
Hackers  hated  that.  They’d  been  using  forums 
and  IRC  to  communicate,  and  all  of  a  sudden,  the 
rest  of  the  world  has  their  own  thing  in  Twitter.” 

-Richard  Stiennon,  founder  of  security  research  firm 
IT-Harvest,  after  Twitter  was  knocked  offline 
for  hours  in  a  deniai-of-service  attack 


"Much  of 
this  you  should  be 
doing  any  way.  If  you 
follow  best  practices, 
such  as  those  outlined  in 
things  like  Cobit  and  ISO 
17799,  you  will  be  okay.” 

-David  Escalante,  director  of 
computer  policy  and  security  at 
Boston  College,  to  those  who  are 
worried  about  meeting  the  tough 
requirements  of  the  Mass  201 
CMR 17  data  protection  law 


IN  A  RECENT  CSO  POLL  SPONSORED  BY  CA, 
IT  MANAGERS  REVEALED: 


What  would  make  IT  security  easier  for  you? 


Streamlined  auditing 
for  compliance 


25% 


Controlled 
data  access 


13% 


63% 


Automation  of  tasks 


In  today's  lean  IT  environments,  automation  is  the  most 
efficient  way  to  ease  data  security  demands  while  enabling 
staff  to  focus  on  revenue-generating  activities.  IT  managers 
must  look  to  implement  automation  solutions  built  on  best 
practices  for  quick  ROI  and  reliable  performance. 

Read  more  of  what  your  peers  are  saying  on  Security  at 
leanit.socialmedia.com/leanit 


Software 


David  Escalante  has  as  much  cause 
as  any  IT  security  practitioner  to  be 
nervous  about  Mass  201 CMR 17,  the 
tough  Massachusetts  data  protec¬ 
tion  requirements  that  organizations  must 
comply  with  by  March  1, 2010. 

As  director  of  computer  policy  and 
security  at  Boston  College,  he  oversees  the 
security  of  a  computer  network  accessed 
daily  by  some  10,000  students  who  storm 
the  campus  after  Labor  Day  with  myriad 
personal  computing  devices  loaded  with 
any  number  of  sinister  programs. 

Yet  he  was  cool  and  calm  during  a 
recent  CSO  Executive  Seminar  on  Mass 
201  CMR  17,  as  were  the  other  legal  and 
security  experts  on  hand. 

The  reason:  They’re  reasonably  confi¬ 
dent  that  most  companies  will  survive  this 
latest  compliance  push  unscathed.  And 
why  not?  Many  of  the  provisions  are  basic 
best  practices  that  other  government 
regulations  and  industry  standards  have 
required  for  years. 

That’s  not  to  say  this  is  a  piece  of  cake. 
Compliance  doesn’t  always  ensure  secu¬ 
rity.  The  Hannaford  supermarket  chain 
learned  this  the  hard  way  after  suffering 
a  data  breach  despite  all  the  PCI  OSS 
compliance  work  it  had  done.  And  so  the 
seminar  speakers  tried  to  give  attendees 
a  clearer  picture  of  what’s  needed.  Among 
the  advice:  Have  a  plan  on  the  shelf  that 
outlines  who  will  do  what  in  the  event  of  a 


data  breach,  and  invest  time  and  money 
in  awareness  campaigns  that  won’t  put 
employees  to  sleep. 

Despite  the  calmness  described 
above,  few  challenges  have  been  more 
worrisome  to  IT  security  practitioners 
than  meeting  all  the  requirements 
of  Mass  201  CMR  17.  With  a  March  l 
compliance  deadline,  companies  are 
scrambling  to  make  sense  of  just  what 
exactly  needs  doing  in  the  next  few 
months  and  where  the  security  controls 
they  installed  for  previous  regulatory 
requirements  may  or  may  not  fit  in. 

Issued  last  September,  the  regula¬ 
tions  require  that  businesses  encrypt 
documents  sent  over  the  Internet  or 
saved  on  laptops  or  flash  drives,  encrypt 
wirelessly  transmitted  data  and  deploy  up- 
to-date  firewalls  to  create  “an  electronic 
gatekeeper”  between  the  data  and  the 
outside  world  that  only  allows  authorized 
users  to  access  or  transmit  data.  Because 
of  the  ongoing  economic  crisis  and  concern 
from  companies  that  need  more  time  to 
digest  the  provisions,  the  compliance 
deadline  has  been  moved  more  than  once. 
Companies  now  have  until  March  2010  to 
have  all  their  security  ducks  in  a  row. 

Escalante  described  how  his  organiza¬ 
tion  is  trying  to  meet  the  challenge  with  a 
program  heavily  focused  on  identity  and 
access  management,  encryption  and  hav¬ 
ing  an  incident  response  plan  to  quickly  and 


ANALYSIS 

A  New  Tea 
Party? 

Two  security  experts  try  making 
sense  of  the  tough  Massachusetts 
data  protection  law 

On  these  shores,  often  is  the  case  that 
laws,  rules  and  regulations  are  passed 
as  a  response  to  public  outcry.  Much 
as  the  old  Bostonians,  dressed  as  Native 
Americans,  tossed  tea  in  the  harbor  to  protest 
stamp  laws  and  stand  up  for  their  individual 
rights,  comes  now  the  Commonwealth  of 
Massachusetts  with  a  new  law  and,  more 
importantly,  a  new  regulation  for  the  purpose 
of  safeguarding  the  personal  information 
of  Massachusetts  residents  (including 
those  Bostonians)  and  standing  up  for  indi¬ 
vidual  rights. 

The  new  regulations,  with  the  catchy  nick¬ 
name  of  “201  CMR  17,”  is  arguably  one  of  the 
most  comprehensive  regulations  on  the  books 
today  in  any  state  in  the  union  for  the  protec¬ 
tion  of  private  information. 

Why  should  we  care?  While  the  regula¬ 
tion  has  the  official  title  of  “Standards  for  the 
Protection  of  Personal  Information  of  Residents 
of  the  Commonwealth,”  it  applies  to  any  entity 
that  handles  personal  information  about  a 
resident  of  Massachusetts,  whether  or  not 
that  entity  is  formed  or  even  exists  within  the 
Commonwealth. 

According  to  accepted  legal  principles, 
these  regulations  can  and  do  apply,  for  example, 
to  a  company  doing  business  in  Washington 

calmly  deal  with  any  security  breach  that 
may  happen  despite  his  organization’s  best 
efforts.  Regarding  the  incident  response 
plan,  he  says,  “You  need  to  have  a  plan 
that’s  clear  about  who  will  be  called  and 
who  will  do  what  in  the  event  of  a  breach.” 

Matt  Karlyn,  senior  counsel  at  Foley  & 
Lardner  in  Boston,  has  spent  an  increas¬ 
ing  amount  of  his  time  helping  companies 
navigate  the  language  of  the  Bay  State’s 
data  breach  law.  He  insisted  it’s  not  as 
hard  as  one  might  think. 

“Go  back  to  your  offices  and  print  out 
the  law,”  he  says.  “It’s  not  hard  to  read. 

It  really  is  a  checklist.  Take  the  panic  out 
of  it.” 

-e.B. 


iA  www.csoonline.com  September  2009 


Photo  by  istockphoto 


state  that  has  personal  information  about 
individuals  who  are  residents  of  Massachusetts, 
even  if  that  company  never  has  any  physical 
contact  with  the  Commonwealth.  Thus,  the 
regulations  are  broad  and  mean  that  entities 
should  recognize  that  they  fall  under  them  if  they 
even  possibly  handle  personal  information  about 
Massachusetts  residents. 

What  is  personal  information?  The 
definition  of  personal  information  focuses 
on  information  usually  associated  with  an 
individual’s  identity,  such  as  Social  Security 
numbers,  drivers’  license  numbers  and  financial 
transaction  information.  It  does  not  include 
information  publicly  available,  which  we,  in 
information  technology,  refer  to  as  “directory 
information."  What  is  included,  for  example,  is 
name  plus  social  or  drivers’  license  or  account 
numbers. 

What  do  we  have  to  do?  To  comply 
with  the  regulation,  at  a  minimum,  we  must 
produce  a  written  comprehensive  information 
security  program  (yes,  the  term  is  again  CISP) 
that  provides  for  safeguards  consistent  with 
ongoing  industry  standards,  including  any  base 


standards  required  from  other  state  or  federal 
regulations,  such  as  the  California  data  breach 
notification  standard  or  the  federal  HIPAA 
standards  under  the  Security  Rule. 

Our  program  must  contain  certain  minimum 
elements:  We  must  designate  a  main  point  of 
contact  responsible  for  the  program;  assess 
the  risks  associated  with  our  organization’s  han¬ 
dling  of  personal  information;  apply  appropri¬ 
ate  mitigation  to  address  the  risks,  (including,  at 
a  minimum,  training  in  the  proper  handling  and 
safeguarding  of  personal  information);  review 
compliance  with  the  program  on  an  ongoing 
basis;  detect  and  prevent  security  breaches; 
provide  for  training  and  disciplinary  rules  for 
employees  to  ensure  awareness  and  applica¬ 
tion  of  the  program  to  the  handling  of  personal 
information;  document  responsive  actions  to 
any  incidents  or  changes  to  business  practices; 
and  ensure  that  third-party  vendors  implement 
appropriate  safeguards. 

The  regulation  also  looks  to  programmatic 
implementations  to  mitigate  the  risks  associ¬ 
ated  with  the  handling  of  personal  information 
to  include  minimizing  the  collection  of  personal 


information  to  that  which  is  necessary  and 
relevant  to  a  legitimate  purpose  and  identifying 
where  this  information  is  collected  and  stored. 

Note  that  a  large  part  of  the  regulation 
deals  with  allocation,  distribution  and  caring  for 
passwords  and  similar  authentication  means. 
This  section  appears  to  be  much  more  coherent 
and  detailed  than  PCI  DS5,  for  example.  A  close 
read  of  this  section  is  suggested  to  understand 
the  requirements. 

Full  compliance  with  the  provisions  of 
201 CMR 17  has  been  mandated  for  March  l, 
2010,  including  the  encryption  piece  of  mobile 
devices.  The  deadline  has  been  moved  more 
than  once,  most  recently  in  August,  when  state 
regulators  issued  a  set  of  changes  designed  to 
make  compliance  more  affordable  for  smaller 
businesses. 

This  isn’t  fun  and  games.  But  it  is  a  respon¬ 
sible,  more  holistic  approach  to  privacy  and 
security  than  we  have  seen  before  from  a 
government  body. 

-Ariel  Silverstone,  CISSP  (ariels@ 
arielsilverstone.com)  and  Kenneth  P.  Mortensen, 
CIPP 


The'SefUrity  Diyisidn  of  Ei 


www.rsa.com 


>>  BRIEFINC 


PHYSICAL/I.T.  CONVERGENCE 


Fas^FOOCl  FAIL 


A  cautionary  tale  on  the  potential  security  lapses  between  a  drive-thru  display  LAN  line  and  a 
fast-food  restaurant’s  point-of-sale  system,  as  discovered  by  security  practitioner  Rick  Lawhorn 


Rick  Lawhorn  went  to  a  local  fast-food  chain  one  evening 
and  found  a  potential  security  threat  to  go  with  his 
burger  and  fries. 

His  findings  indicate  a  potential  glitch  in  how  a  typical 
drive-thru  display  is  wired.  Data  thieves  could  exploit  it  to  steal 
customer  credit  card  numbers,  he  warns. 

At  the  very  least,  the  Richmond,  Va.-based  IT  security 
practitioner  believes  his  findings  offer  a  lesson  on  how  not 
to  fuse  card-payment  machinery  with  the  rest  of  a  company 
computer  network. 

During  his  trip  to  the  drive-thru,  the  display  screen  that 

lists  one’s  food  order  crashed  and  a  bunch  of  _ 

code  appeared. 

Lawhorn  was  curious  and  snapped  a  picture 
of  the  screen  with  his  cell  phone;  taking  the 
image  home  for  further  study. 

The  heartburn  he  later  experienced  wasn’t 
from  the  grease-soaked  food,  but  from  what  he 
found  upon  digesting  the  code  in  the  photo. 

"I  hopped  on  Google  and  did  some  searches 
based  on  what  I  saw  on  the  display  and  found 
documentation  on  how  such  systems  should  be 


RELATED  STORIES 

Security  at  the  Point 
of  Sale  www.csoonline 
.com/article/458175 

Wireless  Security:  The 
Basics  www.csoonline 
.com/article/347313 


set  up  under  such  things  as  PCI  (the  Payment  Card  Industry’s 
security  standard),”  Lawhorn  says. 

The  problem  with  the  setup,  he  found,  is  that  it  likely  cuts 
against  some  basic  security  requirements  concerning  network 
segmentation  and  wireless  devices. 

The  code  revealed  configuration  details  of  the  LAN  running 
from  the  drive-thru  display  to  the  building  and  indicated  that 
the  cable  ran  directly  to  the  restaurant’s  point-of-sale  system, 
where  customer  credit  cards  are  entered. 

Why  is  this  bad?  For  one  thing,  Lawhorn  says,  it’s  unlikely 
someone  is  babysitting  the  network  at  the  individual  fran¬ 
chises  for  security  issues.  Therefore, 
bad  guys  sniffing  the  network  would 
likely  escape  detection. 

“If  we  look  at  the  business  model 
for  a  typical  franchise,  the  indi¬ 
vidual  locations  report  to  a  parent 
company,  but  you  don’t  always  have 
someone  on  staff  at  the  individual 
stores  to  address  IT  and  security,” 
Lawhorn  says.  “And  so  you  often 
end  up  with  a  configuration  that  was 
set  up  just  in  time  to  get  business 
rolling.  When  it’s  done  that  way, 
security  holes  can  be  left  behind.” 

Lawhorn  doesn’t  know  how 
much,  if  any,  credit  card  data  the 
restaurant  in  question  may  be  stor¬ 
ing.  But  if  such  information  is  being 
stored  (a  no-no  under  PCI  security 
requirements),  a  cable  outside  the  build¬ 
ing  that  links  to  the  point-of-sale  system 
is  an  excellent  place  for  a  thief  to  find  it. 

What  is  Lawhorn’s  advice  for  IT 
security  practitioners  dealing  with  a 
franchise  setting  like  this? 

“Start  by  making  sure  the  people 
responsible  for  setting  up  these  net¬ 
works  are  using  modern  products  with 
security  controls  built  in,”  he  says.  “Also 
remember  that  there’s  no  need  for  the 
point-of-sale  to  be  connected  to  all  the 
other  parts  of  the  network.  There  must 
be  layers  of  security  that  include  intru¬ 
sion  detection,  firewalls  and  network 
segregation  between  what  the  public 
can  access  and  where  sensitive  data  is 
processed.”  -b.B. 


The  Scoop  on 
Restaurant  Loss 
Prevention  and  Cash 
Management  www 

.C50online.com/ 

article/221170 


1*  www.csoonline.com  September  2009 


Photo  by  iStockphoto 


34,000+  customers 


200  million  online 
identities  protected. 

40  million  authenticators 
deployed. 


Tiry 

/*■  Y,  s,, 

y  ^  ^  -r 


For  an  authentication  solution  that  is  truly  strong, 

Find  security  in  RSA. 


The  Security  Division  of  EMC 


www.rsa.com 


Data, Loss  Prevention  [  Identity  Access  iVlana|0tTient' 


Security  Information  and  Event  Management 

12009  RSA  Security  Inc.  All  rig-ts  reser/ed,  RSA  and  the  RSA  logo  are  either  registered  trademarks  or  trademarks  of  RSA  Security  Inc.  in  the  Urtited  Sta,Wsj'ai^;b^^;y^nif't^S,' 

E.MC  is  a  registered  trademark  of  EMC  Corpdration.  '  .r  i  ' a-'.’’) 


BLOG  POST 

Top  Ten 
Reasons  You 
Know  Your 
CISO  Must  Go 


lo.  THEY  DO  not  have  a  written,  vet¬ 
ted,  business-focused  and  communicated 
strategic  plan  that  is  readily  available 
for  viewing. 

9.  They  do  not  have  a  written,  vetted, 
business-focused  and  communicated  pro¬ 
gram  that  is  readily  available  for  viewing. 

8.  They  continue  to  deploy  technol¬ 
ogy  while  solving  few  problems  (if  it  is  not 
sexy...what?). 

7.  They  continue  to  cry  wolf,  using  FUD 
at  every  turn. 

6.  They  submit  budgets  that  do  not 
fiiUy  define  a  return  on  security  investment 
aligned  to  a  strategy  and  program. 

5-  They  run  a  closed  shop  where 
loyalty  is  valued  higher  than  openness 
and  integrity. 

4-  They  do  not  listen  to  the  heartbeat  of 
the  business.  Instead,  they  gloss  over  issues 
as  solved  when  in  fact  they  are  not  setting 
up  corporate  officers  for  embarrassment 
and  failure. 

3.  They  have  not  driven  configuration 
management  as  a  core  IT  value. 

2.  They  are  more  interested  in  catching 
bad  guys  than  solving  business  problems. 

1.  They  still  allow  security  loi  issues 
to  exist  even  though  they  are  informed  of 
the  problems  months  and  years  before.  For 
example,  allowing  FTP  to  flourish  through¬ 


JB 

simm 

■  a 

■•S'vTt- 

out  their  environment. 

-J^Bardin 

BLOG  POST 

California  Joins 
Other  States 
in  Addressing 
Electronic 
Evidence 

After  a  rocky  start  and  a  veto 
by  Governor  Schwarzeneg¬ 
ger,  the  California  Elec¬ 
tronic  Discovery  Act  (the 
fAct”)  was  finally  signed 
into  law  in  June  of  this  year.  Given  the 
urgency  of  the  matter,  the  Act  became 
effective  immediately.  Its  final  form  closely 
tracks  the  2006  amendments  to  the  Federal 


Rules  of  Civil  Procedure  relating  to  elec¬ 
tronic  evidence.  Among  other  things,  the 
Act  does  the  following; 

■  Establishes  procedures  for  obtaining 
discovery  of  a  wide  range  of  elec¬ 
tronically  stored  information  (i.e.,  any 
information  stored  in  an  electronic 
medium); 

■  Permits  the  parties  to  agree  to  extend 
the  date  for  inspection,  copying,  testing 
or  sampling  beyond  those  provided  in 
specified  provisions; 

■  The  court  may  limit  discovery  if  the 
likely  burden  or  expense  of  the  pro¬ 
posed  discovery  “outweighs  the  likely 
benefit,  taking  into  account  the  amount 
in  controversy,  the  resources  of  the 
parties,  the  importance  of  the  issues 

in  the  litigation  and  the  importance  of 
the  requested  discovery  in  resolving 
the  issues;” 

■  Provides  that  if  a  party  responding  to 
a  demand  for  production  of  electronic 
evidence  objects  to  a  specified  form 


**  www.csoonline.com  September  2009 


Photo  by  iStockphoto 


EXECUTIVE 

VIEWPOINT 


ADVERTORIAL 


Security  and 
Compliance  Success 

Making  strides  in  managing  security  and 
compliance  with  cost-effective  solutions. 

Abe  Kleinfeld 

PRESIDENT  AND  CEO,  NCIRCLE 

With  30  years  of  successful  management  experience  in  the  high  technol¬ 
ogy  industry,  Kleinfeld  has  helped  nCircle  become  the  leading  provider  of 
automated  security  and  compliance  auditing  solutions. 


Security  professionals  today  demand 
comprehensive  management  solutions  ca¬ 
pable  of  yielding  favorable  results  without 
compromising  abeady  tight  budgets.  Of 
course,  success  depends  on  the  approach. 
Here,  Abe  Kleinfeld  shares  his  perspective 
on  how  CSOs  can  best  navigate  this  space. 

What  steps  should  CSOs  take 
to  improve  security  and  achieve 
compliance? 

Tkke  proactive  measures  such  as  continu¬ 
ously  scanning  your  IT  network  for  risks, 
vulnerabilities  and  compliance  shortfalls. 
It  costs  far  less  to  find  problems  and  fix 
them  in  advance  of  a  compliance  audit  or 
a  data  breach  than  to  deal  with  the  conse¬ 
quences  afterward. 

Also,  embrace  comprehensive  solu¬ 
tions.  Learning,  deploying  and  managing 
individual  point  solutions  translates  into 
higher  headcormts  and  costs.  Instead,  a 
cost-effective  integrated  solution  should 
address  a  larger  percentage  of  the  total 
compliance  and  security  problem,  while 
yielding  timely  results. 

What  role  do  metrics  play  as  CSOs 
seek  a  return  on  their  security/ 
compliance  investments? 

It’s  impossible  to  accurately  track  progress 
without  metrics.  Yet  metrics  miast  measure 
the  right  things  to  drive  meaningful 
behavior  and  gain  valuable  results.  For 
example,  by  employing  highly  graniolar 
risk  scoring— taking  into  account  vulner¬ 
ability  risk,  asset  value,  device  configu¬ 
rations,  application  risk  and  topology 
assessment— companies  can  better  pri¬ 
oritize  remediation  efforts  to  simultane¬ 
ously  reduce  costs,  improve  seciuity  and 
achieve  compliance,  rather  than  simply 


tiying  to  chase  everything  that  moves.  In 
other  words,  measuring  the  right  things 
win  lead  to  lower  risk  and  better  resource 
utilization. 

Why  is  accountability  important? 

Accormtability  is  a  key  concern  as  secu¬ 
rity  professionals  implement  technolo¬ 
gies  and  processes  that  identify  security 
and  compfiance  gaps.  However,  other 
organizations  are  often  responsible  for. 
remediation. 

Organizations  must  have  a  closed  loop 
process  with  clear  accountability  to  en- 
sixre  that  their  companies  are  both  secure 
and  compliant.  The  best  results  occm: 
when  companies  measure  and  reward 
departments  for  security  and  compli¬ 
ance  performance;  for  instance,  publicly 
publishing  a  scorecard  for  each  depart¬ 
ment  against  target  metrics  and  tying  the 
department  manager’s  bonus  directly  to 
the  scores. 

What  unique  technologies  has  nCircle 
embraced  in  its  security  and  compli¬ 
ance  solutions? 

With  five  patents  in  place  and  numerous 
patents  pending,  nCircle’s  commitment 
to  R&D  has  led  to  the  world’s  most  com¬ 
prehensive  and  agentless  security  and 
compliance  auditing  solution.  Agentless 
technology  is  important  because  it  is  the 
only  way  to  ensure  that  IT  audits  discover 
and  audit  every  single  node  on  a  global 
network.  nCircle  Suite360  literally  scans 
every  single  IP  address  across  a  global 
network  and  checks  for  more  than  28,000 
potential  compliance  deviations,  vulner¬ 
abilities,  security  and  configuration  flaws, 
and  even  monitors  tile  integrity. 


In  addition,  nCircle’s  agentless  solution 
automatically  audits  the  entire  FT  stack, 
from  web  applications  through  middle¬ 
ware,  databases,  operating  S3^ems,  as  well 
as  network  infrastructure.  And  without 
any  software  to  install,  users  enjoy  near- 
instant  results  with  complete  audit  reports 
available  within  hours. 

HOW  does  nCircle's  unified  view  of 
security  and  compliance  add  value? 

Customers  no  longer  have  the  resources 
to  deploy,  learn  and  manage  hrmdreds  of 
narrowly  focused  point  solutions  with 
overlapping  or  redimdant  functional¬ 
ity  nCircle  provides  a  comprehensive 
solution  that  audits  the  entire  IT  stack 
across  the  global  enterprise  with  objective 
measiuement  and  imified  scoring. 

By  combining  aU  of  the  important  audit¬ 
ing  capabihties  into  an  integrated  product 
suite,  oru  customers  gain  an  rmprec- 
edented  unified  view  of  their  compliance 
and  security  posture,  while  benefiting 
from  lower  costs  and  improved  organiza¬ 
tional  processes. 


FOR  MORE  INFORMATION: 

Download  the  free  white  paper  "CSO's 
Guide  to  Security  and  Compliance" 
at  www.csoonline.com/whitepapers/ 
ncircle 

n  c  I  r  c  I  e° 
CSO 

Custom  Solutions  Group 


>>  DISCUSSION 


MORE  ON  THE  WEB 

Security  Tools, 

Templates  and  Sample  Policies 

Need  help  devising  a  policy?  Creating 
a  risk-evaluation  cnecklist?  Check 
out  CSOonline.com’s  growing  library 
of  examples,  covering  everything 
from  pandemic  planning  to 
acceptable  Internet  use  policies. 


www.csoonrine.com/article/486324 

for  producing  the  information,  or  if 
no  form  is  specified  in  the  demand, 
the  responding  party  shall  state  in  its 
response  the  form  in  which  it  intends 
to  produce  each  type  of  information. 

In  general,  if  a  demand  for  produc¬ 
tion  does  not  specify  a  form  or  forms 
for  producing  a  fype  of  electronically 
stored  information,  the  responding 
party  would  be  required  to  produce 
the  information  in  the  form  or  forms 
in  which  it  is  ordinarily  maintained,  or 
in  a  form  that  is  reasonably  usable,  but 
need  not  produce  the  same  electroni¬ 
cally  stored  information  in  more  than 
one  form; 

■  Sets  forth  procedures  for  requesting 
and  objecting  to  the  form(s)  of  produc¬ 
tion  of  electronic  evidence; 

■  Creates  a  safe  harbor  for  electronic 
evidence  that  has  been  lost,  damaged, 
altered  or  overwritten  as  a  result  of 
“the  routine,  good  faith  operation  of  an 
electronic  information  system;” 

■  Permits  the  producing  party  to 
object  to  the  production  of  electronic 
evidence  from  a  source  that  is  not  rea¬ 
sonably  accessible  because  of  undue 
burden  or  expense,  but  the  objecting 
party  shall  bear  the  burden  of  demon¬ 
strating  such  unreasonableness; 

■  If  the  court  finds  good  cause  for  the 
production  of  electronically  stored 
information  from  a  source  that  is  not 
reasonably  accessible,  the  court  may 
set  conditions  for  the  discovery  of 
the  electronically  stored  information. 


including  allocation  of  the  expense  of 
discovery; 

■  In  the  event  that  privileged  information 
is  inadvertently  produced,  the  disclos¬ 
ing  party  can  notify  the  receiving  paify, 
and  the  receiving  party  must  immedi¬ 
ately  “sequester  the  information  and 
either  return  the  specified  information 
and  any  copies  that  may  exist”  or  pres¬ 
ent  the  information  for  court  review. 

-Michael  Overly 

BLOG  POST 

The  Cyber-Czar 
Challenge 

As  attacks  become  more 
sophisticated  and  nations 
get  into  the  act,  what  we 
typically  get  from  the  US 
government  is  a  lot  of  rhet¬ 
oric.  Congress  holds  hearings,  the  President 
decries  the  lack  of  a  national  policy,  and  cor¬ 
porations  strongly  assert  their  commitment 
to  protecting  sensitive  information.  But 
when  the  time  comes  to  actually  DO  some¬ 
thing,  the  back-pedaling  begins.... 

It’s  no  wonder  no  one  wants  this  job. 
It  has  no  power,  but  the  czar  will  likely 
serve  as  a  scapegoat  when  something  goes 
wrong.  It’s  a  position  that  helps  support 
the  rhetoric:  “See,  we’re  doing  something.” 
If  Obama  wants  to  make  this  work,  he 
has  to  give  the  position  some  teeth.  'The 
cybersecurity  chiePs  position  must  reside 


HOWTO 

REACH 

US 

You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.CSOonline.com. 

Derek  Slater,  Editor  in  Chief 
dslater@cxo.com 
508  935-4213 
Twitter:  ©derekcsiater 

Bill  Brenner,  Senior  Editor 
bbrenner@cxo.com 
508  988-7587 
Twitter:  @billbrenner70 

Joan  Goodchild,  Senior  Editor 
jgoodchild@cxo.com 
508  988-7994 
Twitter:  ©msjoanieg 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
E-mail:  cso@omeda.com 

Reprints  &  Permissions 
For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS  Group, 
800  290-5460,  ext.  129, 
cso@theygsgroup.com. 


at  least  at  the  same  level  as  the  heads  of 
the  Security  and  Economic  counsels.  He 
or  she  must  have  a  formal  and  equal  “seat 
at  the  table”  when  security  and  economic 
policy  is  created. 

No,  we  can’t  tie  the  hands  of  the  direc¬ 
tors  of  our  defense  and  economic  planning 
and  implementation.  However,  the  conver¬ 
sation  about  balancing  security  with  activi¬ 
ties  in  these  two  critical  areas  must  happen 
openly,  routinely  and  with  the  understand¬ 
ing  that  bad  security  is  not  acceptable.  No 
excuses.  On  the  other  hand,  the  administra¬ 
tion  must  guard  against  knee-jerk  reactions 
that  impose  unreasonable  and  inappropri¬ 
ate  controls  on  the  national  infrastructure. 
Again,  balance...  -Tom  Olzak 


a®  vAvw.csoonline.com  September  2009 


I  need 

seamless  access  solutions 
that  are  convenient  and 
cost-effective. 


'.,r. 


Contact  HID  Global  for  a  90-day  trial:  hidglobal.com/90DaylV'ial 


By  Mary  Brandel 


Sensing  Trouble 

Wireless  intrusion  prevention  and  detection  systems 
aim  to  defeat  evil  twins  and  other  tricky  hacks 


Wireless  intrusion  detec¬ 
tion  and  protection 
(IDP)  systems  monitor 
enterprise  airwaves 
with  a  network  of  wire¬ 
less  monitors  connected  to  a  central  server. 
They  capture  data  from  the  radio  spectrum 
and  analyze  it  for  rogue  access  points  (APs), 
unauthorized  devices,  unauthorized  asso¬ 
ciation,  adherence  to  policy,  incorrectly 
configured  security  settings,  unexpected 
behavior  and  wireless  attacks  such  as  MAC 
spoofing,  denial  of  service  attacks  and  hon- 
eypots.  They  then  provide  reporting  and 
alerts,  which  can  be  sent  to  workflow  sys¬ 
tems,  trouble-ticketing  systems  or  network 
management  consoles,  or  they  can  be  sent 
via  e-mail  or  pager  to  administrators,  \^%e- 
less  IDP  systems  can  also  prevent  against 
threats  automatically  by  detecting  and  clas¬ 
sifying  threats. 

Market  Drivers 

According  to  Gartner,  the  wireless  intru¬ 
sion  prevention  system  market  is  relatively 
stable.  Global  revenue  grew  l8  percent 
between  2007  and  2008,  from  $119  million 
to  $140  million,  according  to  John  Pescatore, 
an  analyst  at  Gartner.  He’s  projecting  a  14 
percent  to  15  percent  growth  in  2009. 

Market  drivers,  however,  have  changed 
in  that  time  span,  he  says.  Two  or  three 
years  ago,  companies  were  buying  wire¬ 
less  IDP  to  detect  and  disallow  wireless  or 


to  protect  against  attacks  in  the  few  areas 
of  the  enterprise  where  it  was  allowed. 
With  the  growing  acceptance  of  wireless, 
however,  many  companies  now  invest  in 
these  tools  to  assess  their  vulnerability  to, 
for  instance,  incorrectly  configured  APs, 
rogue  APs,  foreign  PCs  trying  to  connect 
to  the  company’s  APs  or  accidental  asso¬ 
ciation  of  corporate  PCs  with  foreign  APs. 


“In  any  dense  environment,  you  can  connect 
to  the  network  of  the  company  upstairs  or 
across  the  alleyway,”  Pescatore  says.  “So 
you’re  basically  deploying  listening  sensors 
arovmd  the  building  to  detect  these  things.” 

Wireless  IDP  tools  are  also  hinted  at  as  a 
best  practice  in  the  PCI  Data  Security  Stan¬ 
dard,  says  John  Kindervag,  senior  analyst  at 
Forrester  Research.  “We  see  it  as  a  growth 


22  www.csoonline.com  September  2009 


Photo  bv  Veer 


EXECUTIVE 

VIEWPOINT 


Security  can  no  longer  be  viewed  strictly 
as  a  risk  mitigation  activity,  says  Don 
EUedge,  CEO  for  San  Jose,  CA-based 
Edgde,  Inc.  Find  out  what  organizations 
have  to  gain  by  aligning  security  with 
business  and  embracing  new  models  that 
better  enable  strategic  initiatives. 

What's  the  greatest  misconception 
about  information  security  today? 

The  greatest  misconception  is  that  most 
organizations  still  view  information  secu¬ 
rity  strictly  as  a  risk  function,  something 
that  is  required  not  for  business  reasons, 
but  to  satisfy  the  auditors.  This  is  impor¬ 
tant,  but  the  fact  is  information  security 
has  become  critical  in  the  enablement 
of  the  business— especially  as  strategies 
evolve  to  support  outsourcing,  a  dynamic 
workforce,  Software-as-a-Service  (SaaS) 
and  cloud  computing,  as  well  as  stronger 
partnerships  and  closer  ties  to  customers. 
Without  security  those  initiatives  simply 
aren’t  viable. 

As  business  models  move  in  new 
directions,  how  is  security  evolving? 

Clearly  security  models,  too,  have  to  move 
in  new  directions  to  accommodate  these 
new  business  endeavors.  However,  in 
many  cases  security  is  not  changing  with 
the  business  and  it’s  becoming  very  re¬ 
strictive  and  even  confrontational. 
Organizations  that  are  progressive  aroimd 
security,  though,  are  evolving  their 
strategies— moving  away  from  traditional 
network-centric  approaches.  They’re 
bringing  security  to  the  applications  and 
data  and  making  it  independent  of  the 


ADVERTORIAL 


Front-End  Alignment; 

Getting  Security  and  Business  on  the  Same  Page 


Don  Elledge,  chief  executive  officer,  edgile,  inc. 

As  CEO  of  Edgile  and  former  partner  at  Deloitte  &  Touche,  EUedge 
touts  15  years  of  experience  in  enterprise  security,  security  strategy 
and  security  governance. 


network.  Those  CSOs  are  pushing  their 
limited  investment  dollars  into  technolo¬ 
gies  such  as  identity  and  access  manage¬ 
ment  and  putting  security  into  the 
applications  and  aroimd  specific  requests 
or  data  objects,  such  as  files  or  email. 

Looking  at  security  in  this  new  light, 
what's  the  single  most  important , 
step  CSOs  must  take? 

Fundamentally,  CSOs  need  to  move 
away  from  treating  security  as  just  a  risk 
function  and  at  the  same  time  eihbrace 
new  models  that  inherently  support  the 
business.  The  first  step  is  to  align  security 
strategies  around  the  capabilities  needed 
to  support  the  business  strategy.  By  doing 
that,  they’U  find  that  the  whole  conversa¬ 
tion  around  security  in  the  organization 
fundamentally  changes.  That’s  particu¬ 
larly  important  today,  because  CSOs  need 
funding  to  address  the  changing  needs, 
and  risk  arguments  are  not  freeing  up 
enough  cash  to  do  the  job. 

What's  to  gain  by  aligning  security 
with  business  strategies? 

In  addition  to  driving  funding,  aligning 
security  with  business  strategy  in  effect 
aligns  it  with  all  the  key  initiatives  taking 
place  in  the  organization.  So  if  the  busi¬ 
ness  strategy  is  to  outsource  non-strategic 
technology  capabilities  through  SaaS 
models  or  to  create  stronger  relationships 
with  partners,  a  business-aligned  security 
strategy  will  be  designed  to  enable  these 
initiatives.  It’s  that  tight  alignment  that 
allows  CSOs  to  drive  security  through 
active  projects. 


Can  you  highlight  a  customer  that's 
had  particular  success  in  achieving 
such  aiignment? 

We  have  a  customer  that  has  seen  strong 
growth  over  the  past  five  years,  in  part 
due  to  an  aggressive  business  strategy. 

Yet  their  security  strategy  was  a  very 
traditional,  network-centric  approach.  As 
we  went  through  the  process  of  devel¬ 
oping  a  security  model  that  was  tightly 
aligned  with  their  stated  business  strat¬ 
egy,  we  got  alignment  and  support  at  very 
high  levels  of  the  organization,  allowing 
the  CISO  to  fund  a  number  of  key  secu¬ 
rity  initiatives— at  a  time  when  money  was 
extremely  tight.  In  the  end,  we  achieved  a 
great  deal  of  success  both  in  transforming 
their  security  direction  and  embedding 
security  within  a  number  of  key  initia¬ 
tives  that  ultimately  enable  the  business 
strategy. 


FOR  MORE  INFORMATION 

Check  out  the  white  paper  "Business  Aligned 

Security"  at  www.csoonline.com/ 

whitepapers/edgile. 


edgile 


cso 

Custom  Solutions  Group 


>>  TOOLBOX 


area  because  PCI  is  encouraging  its  use  for 
wireless  scanning,”  Kindervag  says. 

Selection  Criteria 

The  following  are  features  and  functions 
that  companies  may  wish  to  consider  when 
making  a  product  selection,  according  to 
Burton  Group. 

Integration  nrith  nrired-side  switch  port 
shut  down.  Enables  automated  contain¬ 
ment  on  the  wired  side. 

Air-side  containment  and  hiocking. 

Enables  temporary  disablement  of  rogues 
and  “evil  twins.” 

Integration  with  RF  topology 
maps.  Increases  efficiency  of  location 
pinpointing. 

Location-aware  monitoring.  Provides 
policy  enforcement  based  on  position 
of  devices. 

Remote  management  of  sensors.  Par¬ 
ticularly  good  for  highly  distributed 
organizations. 

Small  and  midsize  business  offer¬ 
ing.  Good  for  distributed  companies  with 
small  sites. 

"No  fly''  mode  or  template.  Useful  for 
companies  that  forbid  wireless  in  certain 

Wireless  IDP 
Attributes 

According  to  I nfoTech 

Research  Group  in  Ontario, 

wireless  IDP  tools  provide  the 

following  capabilities: 

-  Visibility  into  suspicious 
wireless  network  activity; 

>  Rogue  access-point 
detection  and  suppression; 

>  Ad  hoc  network  suppression; 

-  Network  intrusion  detection 
and  prevention; 

>  Policy  creation  and 
enforcement; 

-  Device  location  services; 

>  Flexible  reporting  options; 

■  Ability  to  monitor  and 

report  on  wireless 
network  performance. 


areas  of  the  enterprise. 

Role-hased  access  to  management  user 
interface.  Shares  information  with  mul¬ 
tiple  stakeholders. 

Integration  with  the  help  desk.  Enables 
troubleshooting  of  wireless  network 
connections. 

Integration  with  network  monitoring. 

Enables  network  management  from  an 
integrated  console. 

Escalated  or  hierarchical  alerting.  Pro¬ 
vides  a  more  efficient  response. 

Support  for  power  over  ethemet.  Elimi¬ 
nates  need  for  additional  power  outlets. 

Bandwidth  management.  Eases  burden 
on  low-bandwidth  WAN  links. 

Auto-classification.  Reduces  false  posi¬ 
tives  and  eases  administration. 

DoS  protection.  Helps  maintain  net¬ 
work  availability. 

Scalability/high  availability.  Necessary 
for  large,  highly  distributed  networks. 

Preventive  automation.  Enables  auto¬ 
matic  break  or  containment  of  unauthor¬ 
ized  associations. 

Integration  with  mobile  tools.  Enables 
reuse  of  site  survey  information  gathered 
from  mobile  tool  as  part  of  the  console 
WIPS  intelligence. 

Large-area  sensors.  Reduces  number 
of  sensors. 

Prime  Considerations 

Integrated  versus  overlay.  Wireless  net¬ 
work  infrastructure  vendors  such  as  Aruba 
and  Cisco  provide  integrated  IDP  capa¬ 
bilities,  while  other  vendors  offer  overlay 
systems  that  are  deployed  and  managed 
separately  from  the  operational  wireless 
system.  Infrastructure  vendors’  tools  are 
tightly  coupled  to  the  vendor’s  APs,  which 
perform  the  dual  functions  of  providing 
access  and  scanning  for  security-related 
information.  However,  they  cannot  perform 
both  functions  at  the  same  time,  so  there  are 
coverage  gaps,  Pescatore  points  out.  Also, 
he  says,  they  generally  only  monitor  on 
the  frequencies  that  the  AP  itself  works  on. 
Meanwhile,  overlay  systems  provide  sen¬ 
sors  that  are  lOO  percent  in  “receive”  mode 
and  provide  full-time  security  monitoring 
across  aU  frequencies. 

Generally,  Pescatore  says,  companies 
that  want  to  prevent  the  use  of  wireless 
networks— as  well  as  companies  locked 
into  older  wireless  technologies— should 


consider  overlay  products.  Those  that 
don’t  have  the  budget  for  overlay  security 
systems  or  that  have  little  wireless  network 
exposure  or  low  security  demands  can  meet 
their  needs  with  an  integrated  approach, 
he  says. 

Paul  DeBeasi,  analyst  at  Burton  Group, 
agrees  that  for  the  vast  majority  of  enter¬ 
prises,  using  a  shared  sensor  is  good 
enough.  “The  people  who  are  most  risk- 
averse  and  have  the  budget  should  go  with 
a  dedicated  sensor,”  he  says. 

Chris  Roberts,  manager  of  network  and 
security  operations  at  vehicle  auction  pro¬ 
vider  Adesa,  chose  the  overlay  approach 
from  AirTight  Networks  because  he  wanted 
to  separate  the  data  transport  function 
from  the  security  function.  “I  like  knowing 
that  my  security  product  is  not  also  my  data 
transport  product,”  he  says.  “At  the  end  of 
the  day,  all  devices  are  susceptible  to  failure, 
and  keeping  them  isolated— while  more 
expensive— is  more  pure,  and  I  get  much 
higher  value.” 

Smart  versus  thin  sensor.  There  are 
differences  in  how  wireless  IDP  sensors 
and  engines  work  together  that  can  affect 
how  remote  management  is  handled  and 
the  bandwidth  burden  on  the  network. 
Burton  Group  points  out.  With  smart  sen¬ 
sors,  for  instance,  part  of  the  data  analysis 
is  performed  on  the  sensor,  resulting  in  a 
reduction  of  data  sent  to  the  analysis  engine. 
A  potential  downside  to  this  architecture 
is  that  the  software  on  the  sensors  may 
require  upgrades  to  stay  current.  With  thin 
sensors,  the  Burton  Group  says,  data  is  for¬ 
warded  to  the  server  for  analysis.  Although 


“We  can  see  APs  from 
McDonald’s  and 
Panera  Bread,  but 

we  don't  want 
to  take  action 

against  those 
because  they’re  our 
known  neighbors.” 

-RYAN  HOLLAND,  CIO  OF 
INFRASTRUCTURE, THE 
OHIO  STATE  UNIVERSITY 


St*  www.csoonline.com  September  2009 


wireless  Intrusion  Prevention: 
Msyor  Players 

The  landscape  has  evolved  with  several  major  acquisitions  in  the  past  few 
years.  Gartner  identified  the  following  key  vendors  and  products. 


VENDOR 

GENERAL  DESCRIPTION 

STRENGTHS 

WEAKNESSES  I 

Motorola 

AirDefense 

Before  being  acquired  by  Motorola  in  2008, 
AirDefense  was  the  largest  overlay  WIPS 
vendor,  introducing  its  first  WIPS  product 
in  2002. 

Generally  the  first  to  market  with  security 
features.  Provides  the  most  detailed  infor¬ 
mation  on  wireless  activity. 

With  its  comprehensiveness  also  comes 
complexity. 

AirHagnet 

Founded  in  2001,  AirMagnet  has  roots  in  the 
network  sniffer  market.  Entered  the  WIPS 
market  when  it  added  distributed  security 
monitoring  and  analysis  to  its  traditional 
performance  monitoring  and  troubleshoot¬ 
ing  capabilities. 

Strong  relationship  with  Cisco,  with  which  it 
is  closely  integrated.  Considered  to  have  the 
widest  range  of  wireless  management  tools. 

Its  security  features  are  considered  less 
broad  and  deep,  versus  its  competitors.  For 
this  reason,  it  may  be  most  appropriate  for 
companies  that  want  to  use  one  product 
for  both  security  and  wireless  network 
operations. 

AirUght 

Networks 

Established  in  2005,  AirTight  has  quickly 
established  growing  financials  and  installed 
base.  Its  pure-play  approach  limits  it  to  sell¬ 
ing  as  an  add-on,  but  frees  it  to  concentrate 
solely  on  intrusion  protection. 

The  product  is  considered  easy  to  set  up 
and  avoids  false  alarms  by  using  multiple 
checks  to  classify  rogues.  Available  as  a  SaaS 
offering. 

Its  relative  youth  in  the  market  may  cause 
concern. 

Aruba 

Networks 

i 

Founded  in  2002,  Aruba  began  by  offering  a 
WIPS  module  for  its  wireless  infrastructure 
system.  By  acquiring  Network  Chemistry,  it 
added  an  overlay  product,  and  after  purchas¬ 
ing  Airwave,  it  also  added  a  rogue  detection 
module. 

Generally  considered  one  of  the  market’s 
easiest  to  use,  deploy  and  manage. 

The  integration  of  Aruba,  Network  Chemistry 
and  Airwave  technologies  is  a  large  engineer¬ 
ing  effort.  The  disparate  sources  of  its  secu¬ 
rity  technology  results  in  confusing  product 
approach  to  WIPS. 

Cisco 

A  major  player  in  wireless  infrastructure, 
Cisco’s  security  product  provides  core  WIPS 
functions 

1 

1 

] 

1 

Cisco’s  production  solutions  are  widely 
deployed,  capturing  two-thirds  of  the  wire¬ 
less  infrastructure  market  It  has  invested 
heavily  in  wireless  security  and  has  aggres¬ 
sively  pursued  the  integration  of  network 
security  and  management. 

Cisco’s  unified  network  strategy  is  seen 
as  complex,  which  makes  it  confusing  to 
understand  how  to  take  advantage  of  its 

WIPS  capabilities. 

Source:  Chart  created  using  information  from  the  Gartner  2008  MarketScope  for  “Wireless  LAN  Intrusion  Prevention  Systems" 


some  vendors  provide  bandwidth  manage¬ 
ment,  this  architecture  does  result  in  more 
traffic  moving  across  the  network  and 
heavier  processing  loads  on  the  server,  Bur¬ 
ton  Group  says. 

DOS  and  DON’Ts 

DO  plan  on  spending  time  setting  up 
the  tool.  For  Ryan  Holland,  CIO  of  infra¬ 
structure  at  The  Ohio  State  University,  a 
key  success  factor  of  using  the  wireless  IDP 
system  from  Aruba  was  to  use  the  tool’s 
custom  rules  to  define  what  a  rogue  AP  is. 
With  the  university  located  close  to  many 
shops,  apartment  buildings  and  depart¬ 
ments  that  also  deploy  wireless  networks, 
he  narrowly  defines  rogue  APs  as  those  that 
use  the  university’s  network  identifiers  but 
do  not  appear  on  the  list  of  APs  managed 
by  his  organization.  “We  can  see  APs  firom 
McDonald’s  and  Panera  Bread,  but  we  don’t 


want  to  take  action  against  those  because 
they’re  our  known  neighbors,”  he  says. 

With  Aruba’s  acquisition  of  AirWave— 
which  provides  a  rog^e  detection  module 
within  its  wireless  management  suite— 
Holland  says  there  is  even  more  granular¬ 
ity  to  the  system’s  rule  customization.  For 
instance,  he  can  define  rogues  based  on 
characteristics  such  as  signal-level  thresh¬ 
olds  or  whether  the  AP  is  connected  to  both 
the  wireless  and  wired  networks.  Holland 
also  likes  that  once  he’s  shaped  his  policies 
and  alerts,  the  system  automatically  pro¬ 
vides  a  breakdown,  classifying  the  types  of 
APs  on  the  network.  This  helped  reduce  the 
thousands  of  AiPs  that  the  system  reported 
on  to  about  30.  “We  could  weed  out  the  stuff 
we  don’t  care  about  and  report  on  what  we 
do  care  about,”  he  says.  “It  brings  it  to  a 
human  level.” 

Jon  Covington,  senior  network  engi¬ 


neer  at  UCLA  Medical,  says  the  university 
dedicates  a  fuU-time  resource  to  leverage 
the  Motorola  AirDefense  tool.  “We  want 
to  know  what  that  button  does,  what  that 
bell  or  whistle  does,”  he  says.  “There  are 
also  levels  above  myself  wbo  need  to  know 
there’s  good  ROI  and  TCO,  that  it’s  not 
just  a  gadget.”  It’s  been  worth  it,  he  says. 
“We’ve  been  able  to  draft  a  security  policy 
with  teeth  behind  it  to  comply  with  HIPAA 
standards,”  he  says. 

Covington  also  agrees  that  it  takes  time 
to  work  with  the  system  to  help  make  sense 
of  the  volumes  of  data  collected.  “As  it  lis¬ 
tens,  it  records  everything  it  sees,  but  you 
only  have  a  fixed  volume  of  disk  space,” 
he  says.  “You  have  to  be  aggressive  about 
knowing  what  you  want.” 

In  this  way,  he  says,  wireless  IDP  is  not 
for  the  faint  of  heart.  Covington  estimates 
that  in  two  years  time,  his  group  has  gradu- 


September  2009  www.csoonlme.com  2Ji 


>>  TOOLBOX 


ated  to  using  about  65  percent  of  the  tool’s 
features.  “You  can’t  just  hang  it  up  and  let 
it  run  by  itself,”  he  says.  “To  get  the  ‘wow’ 
experience,  you  have  to  work  with  it.” 

DO  consider  integration  with  a 
management  tool.  Pescatore  recom¬ 
mends  that  the  security  and  operations 
groups  try  working  together  on  choosing  a 
system  that  covers  both  wireless  monitor¬ 
ing  and  security.  That’s  because  once  the 
company  decides  to  fuUy  support  wireless, 
it’s  not  long  before  the  help  desk  begins 
getting  calls  from  users  unable  to  get  on  the 
network,  and  operations  needs  to  deter¬ 
mine  what  the  problem  is— whether  it’s  the 
access  point,  interference  or  the  client  PC. 
Air  Magnet  is  a  vendor  that  originated  on 
the  performance  and  capacity  side  of  the 
house  and  added  security  capabilities,  he 
points  out. 

Roberts  says  AirTight’s  management 
capabilities  were  a  big  reason  he  was 
able  to  justify  the  cost  of  an  overlay  solu¬ 
tion,  especially  in  his  outdoor  environ¬ 
ment,  where  installation  of  wireless  IDP 
and  access  points  was  particularly  costly, 
requiring  the  use  of  a  scissor  lift  and 
specialized  personnel. 

“When  we  made  the  decision  to  use  a 
standalone  system,  we  knew  were  going 
to  absorb  extra  costs  to  do  the  job,”  he  says. 
However,  because  AirTight’s  system  also 
performs  management  tasks,  Roberts  says 
he  found  $40,000  in  cost  savings  in  not  hav¬ 
ing  to  install  wireless  analyzers,  which  sell 
for  about  $1,000  per  device. 

“With  AirTight  sensors,  they  give  you 
direct  access  to  data,  so  you’re  pulling  pack¬ 
ets  out  of  the  air  and  bringing  them  down  to 
the  software  analyzer  on  the  PC.  You’re  get¬ 
ting  two  features  that  the  industry  hadn’t 
put  together  before.”  Adesa  network  engi¬ 
neers  also  love  having  the  ability  to  do  real¬ 
time  troubleshooting  with  clients,  he  says. 

At  Ohio  State,  the  Aruba  sensors  send 
data  to  the  AirWave  controller,  which 
provides  monitoring,  reporting,  con¬ 
figuration,  visualization  and  rogue  detec¬ 
tion.  Although  Holland  has  not  yet  taken 
advantage  of  all  these  capabilities,  he  can 
see  its  future  potential  in  the  university’s 
decentralized  environment.  For  instance, 
if  another  department  that  uses  a  different 
wireless  infrastructure  vendor  like  Cisco 
wants  to  be  managed  by  Holland’s  central¬ 
ized  services  group,  he  could  accommodate 


that  because  AirWave  works  with  multiple 
vendors.  “We’d  be  able  to  manage  it  from 
one  place,”  he  says. 

DON’T  overlook  the  impact  on 
bandwidth.  Holland  says  it’s  important  to 
balance  data  granularity  with  bandwidth 
concerns.  While  the  Aruba  system  isn’t 
bandwidth-intensive,  he  says,  it  does  add 
management  overhead  and  additional  pro¬ 
cessing  on  the  controllers,  “so  you  need  to 
consider  whether  the  network  can  support 
that  increase,”  he  says. 

'This  is  especially  true  in  organizations 
with  remote  offices.  “If  you  have  a  field  loca¬ 
tion  with  a  180-kilobit  link  back  to  head¬ 
quarters  and  the  sensor  starts  using  the 
entire  180  kilobits,  you  can’t  live  that  way,” 
Pescatore  says.  If  you  have  low-bandwidth 


“Now  that  wireless  is 
pretty  well  accepted, 
people  are  finding 
out  they  don’t  always 
need  the  best  system 
in  terms  of  security; 
they  need  one 
they  can  afford.” 

-CHRIS  ROBERTS,  MANAGER 
OF  NETWORK  AND  SECURITY 
OPERATIONS  AT  VEHICLE 
AUCTION  PROVIDER  ADESA 

networks,  you  should  focus  on  vendors  that 
do  more  processing  at  the  access  point  and 
reduce  data  on  the  network. 

DON’T  expect  precision  from  loca¬ 
tion  services.  Many  wireless  IDP  tools 
offer  location  services,  which  rely  on  trian¬ 
gulation  technology  to  estimate  the  physi¬ 
cal  location  of  a  wireless  device,  ensuring 
accuracy  within  three  meters  if  three  access 
points  can  detect  the  signal,  according  to 
InfoTech. 

Some  have  also  added  location  and 
zone-based  authentication,  which  enables 
clients  to  access  data  from  specific  APs  on 
the  network  or  create  authentication  zones 
based  on  client  location.  'This  technology  is 
in  high  demand,  according  to  InfoTech. 

However,  Holland  points  out  that  a 


product’s  location  capabilities  are  com¬ 
pletely  dependent  on  sound  design.  At  the 
university,  for  instance,  he  says  the  APs  are 
placed  in  such  a  way  that  they’re  unable  to 
determine  rog^ue  location  through  triangu¬ 
lation.  Indeed,  while  vendors  claim  they 
can  give  you  the  precise  location  of  rogue 
or  misconfigured  APs,  Pescatore  says, 
they  are  more  likely  to  narrow  it  down  to  a 
couple  of  cubicles  or  the  comer  of  a  budd¬ 
ing.  That’s  because  there  are  many  things 
in  buildings,  like  metal,  that  can  block  AP 
signals,  and  placement  often  has  more  to 
do  with  where  you  have  power  or  Ethernet 
connections  than  optimal  triangulation.  As 
Pescatore  says,  “don’t  fall  in  love  with  loca¬ 
tion  abilities.” 

Holland  was  able  to  use  Aruba’s  loca¬ 
tion  services  and  time  stamps  to  aid  with  an 
investigation  into  a  student  who  was  spam¬ 
ming  university  e-mail  accounts.  “It  helped 
the  detectives  to  be  able  to  say,  ‘We  know 
you  were  here  at  this  time,’”  he  says.  “With 
that  information,  it’s  hard  for  the  attacker 
to  deny  what  he  did.” 

Roberts  says  he  was  impressed  with  the 
location  services  that  AirTight  inadver¬ 
tently  was  able  to  display  during  a  product 
demo.  The  tool  detected  a  rogue  AP  three 
offices  away  that— it  turned  out— his  team 
had  installed  during  another  test  a  month 
before  and  had  forgotten  to  dismantle. 
“They  were  just  four  feet  away  from  the 
actual  location,”  he  says. 

DO  use  automatic  prevention  spar¬ 
ingly.  Holland  does  not  use  Aruba’s  auto¬ 
matic  prevention  capabilities  at  aU.  Instead, 
he  reviews  weekly  reports  that  classify 
rogue  APs  detected  on  the  network.  He 
investigates  these  instances  as  to  when 
they  were  discovered,  by  which  APs,  sig¬ 
nal  strength  and  duration  on  the  network. 
If  it’s  warranted,  his  group  goes  to  the  site 
where  the  rogue  was  detected  for  a  physi¬ 
cal  investigation.  “Experience  has  shown 
that  most  cases  are  someone  misconfigfur- 
ing  their  laptop  when  they’re  trying  to  con¬ 
nect,”  he  says. 

Holland  can  also  remotely  “contain” 
APs  that  meet  certain  criteria,  which  pro¬ 
tects  users  from  joining  that  AP  while  Hol¬ 
land’s  group  begins  an  investigation. 

DO  consider  ease  of  use,  ownership 
and  operation.  Roberts  says  AirTight’s 
automated  management  and  setup  features 
were  a  big  reason  he  eventually  selected  that 


2*  www.csoonline.com  September  2009 


. . 


‘  ^  f  i!  •  „  ■ 'i.  '  .  - 

"pnd 


ca.comApfiOO'  "'. 

Certain,  limitation's  ainil  reqyiremehts'japply.  ',  '  '  .■, 

■'ll.  i -S’  ■  ■  '■■"  ■  iji-"'  . 

7-'  'M  -U.:-!:.  ■  ....  ■"•i  .  1 


".M  ■:%■■ 


product,  including  the  need  to  input  known 
devices  and  access  points.  With  8oo  access 
points,  it  could  take  IS  minutes  per  device 
to  log  in,  review  log  data  and  detect  vul¬ 
nerabilities,  not  to  mention  security  audits. 
With  AirTight,  however,  device  manage¬ 
ment  does  not  even  require  a  full-time  posi¬ 
tion.  “It’s  part  of  the  wireless  person’s  job, 
requiring  about  20  percent  of  their  time,” 
he  says.  “AirTight’s  automation  has  been  in 
the  high  90  percent  range.” 

“Now  that  wireless  is  pretty  well 
accepted,  people  are  finding  out  they  don’t 
always  need  the  best  system  in  terms  of 
security;  they  need  one  they  can  afford,” 
Pescatore  agrees.  Ebtamine  available  tools 
for  their  reporting,  user  interface  and  the 
additional  information  they  provide  to 
help  isolate  issues  such  as  denial-of-ser- 
vice  attack  versus  interference  fi*om  a  leaky 
microwave,  he  says. 

Covington  says  he  appreciates  Motor¬ 
ola  AirDefense’s  user-fiiendly  reporting 
capabilities.  While  other  tools  require  you 
to  export  data  into  a  separate  reporting 


sensors,  especially  for  outdoor  implemen¬ 
tations.  “It’s  not  the  hardware  costs  you 
need  to  be  concerned  with,”  he  says.  “It’s 
the  electrical  costs  of  providing  power  and 
connectivity  back  to  the  network.” 

DO  evaluate  new  wireless  tech¬ 
nology  coverage.  As  new  wireless  tech¬ 
nologies  such  as  8o2.iin,  WiMAX  and  3G 
ceU  data  services  appear,  users  bringing 
rogue  APs  to  the  workplace  will  once  again 
become  more  prevalent,  as  in  the  early 
days  of  wireless,  Pescatore  says.  “There 
are  faster  forms  of  wireless  working  their 
way  in  beyond  802.11  and  WiFi,”  he  says. 
Air  cards  are  another  element  that  employ¬ 
ees  or  visitors  may  introduce  through  their 
laptops,  either  inadvertently  by  leaving 
them  running  or  purposefully  to  bypass 
URL  blocking.  Some  wireless  IDP  tools  do 
detect  these  newer  technologies,  while  oth¬ 
ers  don’t,  Pescatore  says.  ■ 


Mary  Brandel  is  a  freelance  writer  based  out¬ 
side  Boston.  Send  feedback  to  Editor  Derek 
Slater  at  dslater@cxo.cortL 


As  things  heat  up  in  the  IT  Security  marketplace,  CA  has  you  covered.  Avoid  the 
heat  with  our  SPF  100  offer;  Replace  100%  of  your  Sun  Microsystems  or  Oracle 
Identity  and  Access  Management  product  licenses  vvith  equivalent  licenses'' 
of  CA  Identity  Manager,  CA  Role  &  Compliance  Manager  or  CA  SiteMinder' 
licenses.  For  FREE.  The  only  product  cost  is  standard  maintenance. 


The  industry  leader  in  lAM,  CA  recently  received  SC  Magazine's  Reader  Trust  Award 
for  the  Best  Identity  Management  Solution.  Find  out  how  Rapid  Implementation  can 
have  your  lAM  solution  deployed,  on  average,  in  60  to  90  days. 


system,  it  enables  you  to  build  the  visual 
graphics  that  executives  prefer,  customize 
reports  and  send  them  easily  to  the  people 
who  need  to  see  them.  For  the  features  that 
are  less  intuitive,  he  says  his  group  works 
with  Motorola  directly  to  point  out  where 
they  could  increase  ease  of  use.  “With¬ 
out  that  feedback,  they  wouldn’t  know,” 
he  says. 

DON’T  overlook  nonsoftware  costs. 

When  it  comes  to  wireless  IDP  cost,  hard¬ 
ware  is  only  one  element,  Roberts  says.  It’s 
easy  to  overlook  the  cost  of  cabling,  solar 
panels  and  battery  packs  to  power  the 


Copyright 


:  2009  CA.  All  rights  reserved.  SC  Magazine  is  the  trademark  of  Haymarket  Media.  Inc.  and  is  used  with  permission. 


CONCERNED  ABOUT  THE  SUN  ACQUISITION? 
WE’VE  GOT  YOUR  BACK. 

100%  LICENSE  TRADE-IN. 


.;v.- 


"  '.f 


CSOs  are  pros.  Likewise,  the 

threats  they  fend  off  come  increasingly 
from  professional  opponents.  The  word 
“mob”  may  conjure  images  of  Tommy 
Gun-toting  patriarchs,  but  the  new 
mob— while  still  bearing  some  connec¬ 
tions  to  the  old  crime  families— is  looser 
in  its  structure  and  thoroughly  modem 
in  its  tactics.  “People  have  got  to  get 
the  image  of  Don  Corleone  out  of  their 
minds,”  says  Frank  Heidt,  CEO  of  Levia¬ 
than  Security.  “That  isn’t  organized 
crime,  and  it  hasn’t  been  since  the  1950s.” 

Retail  crime  specialists  think  that 
about  40  percent  to  45  percent  of  retail 
theft  now  comes  from  organized  crime 


‘  V„.  _ 

lllustrjl^n  by  Nancy^tahf  ‘  ’1 


groups.  Efficiently  shoplifting  and  fenc¬ 
ing  everyday  products,  organized  retail 
theft  creates  a  $30  billion  to  $40  billion 
hole  in  balance  sheets  in  the  U.S.  alone. 

On  the  digital  side,  a  2009  data  breach 
report  by  Verizon  Business  Services 
estimated  that  91  percent  of  cyberre¬ 
cords  theft  went  to  organized  criminal 
groups.  Cybercrime  costs  businesses 
billions  of  dollars  worldwide,  perhaps 
even  more  than  a  hundred  billion  dol¬ 
lars.  The  sheer  scope  of  these  problems 
means  CSOs  can’t  leave  the  job  to  the 
police.  The  kind  of  organized  crime  that 
plagues  corporations  is  fluid  and  flexible, 
flouting  national  or  ethnic  boundaries  in 


ways  deliberately  meant  to  frustrate  law 
enforcement.  It’s  a  shadow  economy  that 
only  gets  bigger  when  clouds  obscure 
the  regular  economy.  Understanding 
the  adversary  is,  as  always,  the  first  step 
toward  finding  solutions.  Actively  shar¬ 
ing  information  and  best  practices  comes 
close  behind. 

Hence  this  guide.  CSO  spoke  with 
leaders  both  on  the  corporate  side  and 
in  various  industry  and  law  enforce¬ 
ment  groups  to  show  the  mechanisms 
of  today’s  organized  crime  and  the  steps 
you  can  take  to  protect  your  business 
against  it.  Naturally,  the  best  answer  to 
organized  crime  is  organized  defense. 


In  the  physical 
and  digital  worlds, 
organized  crime  is  a 
growing  headache 
for  corporate  CSOs. 
Here’s  your  guide 
to  the  new  Mob. 


Small,  loosely 
connected  gangs 
illustrate  the 
challenge  of  stopping 
organized  retail  theft 


When  police  caught  a  thief  try¬ 
ing  to  steal  $4,500  in  goods  from  a  Pub- 
lix  supermarket  near  Lakeland,  Fla.,  the 
local  sheriff  didn’t  treat  it  like  just  another 
shopUfting  case.  He  assigned  a  detective 
to  look  into  it. 

As  part  of  Operation  Beauty  Stop,  a 
seven-month  investigation,  a  detective 
found  a  ring  of  thieves  hitting  stores 
throughout  central  Florida.  They  stole 
from  Publix,  Sweetbay,  Target,  Wal-Mart 
and  other  stores.  They  could  hit  15  stores 
in  a  day,  stealing  roughly  $3,500  of  goods 
per  store.  Goods  were  resold  through 
Lola’s  Discount  Warehouse,  which  oper¬ 
ated  on  eBay  and  at  area  flea  markets. 
When  officers  moved  in  and  arrested  18 
people,  they  estimated  that  over  a  five- 
year  period,  between  $60  million  and 
$100  million  worth  of  goods  were  stolen. 
“It’s  staggering,”  says  Grady  Judd,  Polk 
County’s  Sheriff. 

And  well  organized.  The  Polk  County 


ring  used  to  fill  shopping  lists  for  Lola’s 
owner,  Theresa  Parrish.  Another  ring, 
busted  by  Polk  County  Sheriff’s  officers 
in  March,  had  operated  for  seven  years, 
recruiting  illegal  aliens  to  steal  baby  for¬ 
mula.  It  had  a  facility  in  North  Carolina 
where  it  could  relabel  cans.  That  ring 
probably  stole  $17  million  worth  of  baby 
formula  over  seven  years. 

The  U.S.  national  motto  is  often  “shop 
’til  you  drop.”  In  times  like  these,  the  cor¬ 
ollary  becomes  “steal  it  and  deal  it.”  In 
retail  stores,  crime  rings  have  found  what 
Sheriff  Judd  calls  a  “soft  underbelly”  of 
American  law  enforcement.  He  says  even 
retailers  often  think  of  retail  theft  as  “a 
minor  event,”  he  says.  The  penalties  for 
shoplifting  are  low,  retailers  have  little 
interest  in  making  it  harder  for  legitimate 
consumers  to  get  at  goods.  Meanwhile, 
bloodless  crimes  often  don’t  make  pulses 
race,  even  in  the  28  percent  of  cases 
where  traditional  organized  crime  seems 


to  be  involved. 

Perhaps  that’s  why  retail  criminal 
rings  offer  a  melting-pot  view  of  Amer¬ 
ica.  “It’s  an  unbiased  crime,”  says  Casey 
Chroust,  senior  vice  president  of  retail 
operations  at  the  Retail  Industry  Leaders’ 
Association  (RILA).  It  happens  every¬ 
where:  urban  stores  and  rural  retailers, 
mom-and-pop  shops  and  Wal-mart.  A 
National  Retail  Federation  survey  found 
that  92  percent  of  retailers  said  they’d 
been  the  victims  of  organized  retail  theft 
in  2008.  Organized  retail  thieves  swiped 
between  $15  billion  and  $30  billion  in 
goods  a  year.  Their  favorite  targets:  razor 
blades,  infant  formula,  teeth  whiteners. 
Oil  of  Olay,  diabetes-related  supplies, 
branded  apparel,  consumer  electronics 
and  Blu-ray  discs. 

Tens  of  billions  of  dollars,  lost. 
Some  of  it  occurs  when  thieves  target 
warehouses  or  even  individual  trucks 
filled  with  goods.  A  case  in  New  Jersey 


iw.cspdnli ne.com  September  2009 


whose  numbers  were  flat.  Brad  Brekke, 
vice  president  of  asset  protection  at 
Target,  says  the  company  has  not  seen 
a  significant  increase  in  organized  retail 
theft. 

He  says  the  main  factor  in  Target’s 
success  at  holding  the  line  on  retail 
crime  comes  from  the  way  it  organizes 
itself.  Its  cuts  have  been  strategic,  not 
wholesale.  The  store  also  has  a  four¬ 
pronged  approach  in  place  to  battle 
organized  theft: 

1.  Diverse  hiring.  Target  doesn’t 
just  hire  from  law  enforcement.  Brekke 
himself  is  a  lawyer  who  spent  a  number 
of  years  at  the  Federal  Bureau  of  Inves¬ 
tigation  before  coming  to  Target  in  1997. 
Target  has  an  internal  forensics  lab  for 
lifting  fingerprints,  and  it  also  hires  peo¬ 
ple  with  experience  in  information  sys¬ 
tems,  finance  and  analytics  so  it  can  look 
for  patterns  that  help  it  predict  where 
thieves  might  strike  next. 

2.  Intergroup  cooperation.  Target 
collaborates  through  vehicles  like  LERP- 
net  (Law  Enforcement  Retail  Partnership 
and  Network),  an  information- sharing 
network  between  big  retailers  and  law 
enforcement;  and  the  National  Cyber- 
Forensics  and  Training  Alliance,  a  gov¬ 
ernment  and  industry  collaboration  for 
fighting  cybercrime. 

3.  Technology.  Target  now  uses 
IP-based  camera  systems  that  allow  for 
remote  surveillance  of  its  stores. 

4.  Partnerships.  Besides  national 
information-sharing  efforts  like  LERP- 
net,  Target  works  to  form  alliances  with 
various  law  enforcement  officials  and 
with  other  retailers. 


of  thousands  of  jobs  in  the  past  18  months, 
from  sales  floor  workers  to  back-room 
loss-prevention  staff.  “It  absolutely  does 
increase  risk,’’  says  Rogers.  He  expects  to 
see  retailers  report  big  inventory  losses 
over  the  next  18  to  24  months.  In  fact, 
losses  are  already  showing  up:  A  RILA 
survey  in  April  found  that  72  percent  of 
members  saw  an  increase  in  organized 
retail  crime  over  the  prior  four  months, 
outstripping  the  61  percent  of  members 
who  saw  simple  shoplifting  rise. 

But  there  was  a  sliver  of  members— 3 
percent— who  saw  a  drop  in  organized 
retail  crime,  and  another  25  percent 


Lead  by  VP  of  Asset  Protection  Brad  Brekke, 
Target  is  dealing  aggressively  with  organized 
retail  theft. 


NO  REFUND 

In  one  recent  case.  Target  helped  snare 
a  four- person  ring  committing  refund 
fraud.  Refund  fraud  happens  when 
people  buy  something,  remove  it  from  its 
box,  put  something  of  similar  weight  into 
the  box,  reseal  it,  return  it,  then  sell  the 
original  item  on  an  Internet  auction  site 
like  eBay. 

Target  spent  four  months  tracking 
the  thefts,  which  took  place  in  Florida, 
Georgia,  North  Carolina,  New  Jersey  and 
Pennsylvania.  An  analytics  specialist  cre¬ 
ated  a  map  of  the  frauds.  Its  forensics  lab 


alleges  that  the  Gambino  crime  family 
planted  an  associate  in  a  Lowe’s  store 
to  steal  from  within.  But  often,  goods 
walk  out  of  stores  in  “booster”  bags,  hol- 
lowed-out,  oversized  purses  lined  with 
tin  foil,  a  simple  kludge  against  store 
security  gates. 

The  best  defense  against  nonem¬ 
ployee  retail  theft  is  usually  feet  on  the 
floor,  says  retail  security  consultant  King 
Rogers.  But  retailers  have  cut  hundreds 


part  to  help  alleviate  an  image  problem 
with  retailers,  who  often  believe  eBay  is 
not  open  to  working  wth  them  or  that  it 
cannot  track  sellers  on  its  site.  (CSO  cov¬ 
ered  the  issue  in  depth  in  August  2005. 
See  www.csoonline.com/article/220Ss4.) 
Jones  says  neither  is  tme,  and  that  eBay 
has  analytics  staff  that  can  help  retailers 
parse  theft  data  and  point  police  toward 
thieves.  “I’m  here,  I’m  listening,  I  have 
the  ears  of  folks  at  eBay,”  he  says. 

But  LaRocca  says  eBay  needs  to  do 
more  than  talk.  “In  all  the  security  pro¬ 
grams  eBay  proposes,  it’s  all  one  way— 
you  bring  me  the  information  and  give  it 
to  me,  and  if  in  my  assessment  a  crime  has 
been  committed,  I  will  take  action.  That’s 
backwards,”  he  says.  The  NRF  wants  to 
see  eBay  give  retailers  the  same  things  it 
gives  manufacturers  battling  counterfeit¬ 
ers:  access  to  information  about  sellers. 

He  also  wants  to  see  the  company 
follow  through  on  its  agreements.  EBay 
agreed  to  limit  sales  of  gift  cards  in  order 
to  help  prevent  widespread  gift  card 
fraud,  a  move  led  by  Jones.  LaRocca  says 
eBay  is  lax  about  enforcement:  “You  can 
go  on  almost  any  day  of  the  week  and  find 
sellers  in  violation.” 

LaRocca  wishes  Jones  well  but  says, 
“Ifhe  is  able  to  make  progress  in  this  new 
position,  he’ll  be  a  hero.” 

Busts  are  usually  a  double-edged 
sword,  says  consultant  Lafrieri.  When 
cases  go  to  trial,  retail  theft  rings  study 
the  evidence  and  learn  from  the  mistakes 
that  led  to  the  bust,  allowing  them  to 
develop  new  tactics. 

Cyberintrusions  and  cybertheft 
will  become  much  bigger  threats  in  the 
next  couple  of  years,  Jones  says.  CSOs 
can  reach  out  to  other  groups  in  their 
organizations  and  start  talking.  At  The 
Limited,  the  CIO  created  a  committee 
that  would  meet  once  a  month  to  look  at 
where  it  was  vulnerable,  discuss  risk  lev¬ 
els  and  look  at  the  issues  raised  by  hired 
penetration  testers. 

Combining  forces  inside  a  company 
and  outside  creates  strength  in  num¬ 
bers  for  retailers.  Whether  that  leads  to 
reduced  theft  depends  on  how  well  CSOs 
can  collaborate.  One  thing’s  certain:  “The 
risk  is  not  getting  smaller  in  the  world  we 
live  in,”  says  Target’s  Brekke.  ■ 


was  able  to  lift  fingerprints  from  returned 
boxes  to  help  track  the  criminal.  It  then 
worked  with  law  enforcement  officials 
in  Florida,  who  seized  eight  computers, 
a  shrink-wrapping  machine  and  more 
than  $50,000  in  stolen  merchandise. 

Four  months  of  work  by  multiple 
people  is  indicative  of  what  it  takes  to 
fight  organized  retail  crime.  Those  who 
commit  refund  fraud  tend  to  be  college 
educated  and  well  organized,  planning 
trips  of  one  to  three  days  in  length  and 
then  moving  on.  They  may  ship  goods 
back  to  their  home  base  for  repackag¬ 
ing,  then  sell  them  through  an  Internet 
auction  site.  Often,  these  groups  are  just 
three  or  four  people,  which  makes  it  dif¬ 
ficult  for  law  enforcement  to  infiltrate 
them  in  the  way  they  could  with  tradi¬ 
tional  organized  crime.  Such  groups  are 
simply  too  small,  says  Sal  Lafrieri,  presi¬ 
dent  of  Protective  Countermeasures  in 
New  Rochelle,  N.Y. 

Law  enforcement  finds  retail  theft 
rings  difficult  to  prosecute.  Jurisdic¬ 
tion  often  is  unclear  or  the  relationship 
between  a  string  of  thefts  is  difficult  to 
prove.  The  cases  represent  a  staffing 
challenge,  too.  Polk  County  committed 
40  officers  to  Operation  Beauty  Stop  the 
day  it  made  the  arrests. 

Some  experts  in  the  industry  point 
to  the  need  for  federal  legislation  against 
organized  retail  crime.  That  would  ease 
jurisdictional  issues,  and  more-serious 
penalties  could  deter  some  of  the  crimes. 
But  practically  speaking,  laws  against 
organized  retail  crime  didn’t  pass  in  bet¬ 
ter  times,  and  currently  proposed  laws 
probably  won’t  gain  much  traction  on 
Capitol  Hill. 

Sheriffjudd  favors  federal  legislation, 
but  he  says  retailers  would  do  better  to 
work  together  on  more  secure  practices. 
Why,  for  instance,  don’t  more  retailers 
move  baby  formula  to  secure  parts  of 
the  store? 

LERPNET  LURCHES 
INTO  ACTION 

Part  of  the  reason  why  is  the  natural 
reluctance  to  make  it  harder  for  legiti¬ 
mate  customers  to  buy  things.  But  retail¬ 
ers  are  beginning  to  collaborate  through 
networks  such  as  LERPnet  (www 


September  2009 


.lerpnet.com).  LERPnet,  harely  two  years 
old,  gets  mixed  reviews.  “Execution  and 
management  of  the  process  by  the  NRF 
[National  Retail  Federation]  hasn’t  quite 
got  it  to  be  a  tool  that  people  are  getting  a 
lot  of  value  from,”  says  Paul  Jones,  global 
director  of  retail  partnerships  at  eBay 
and  former  head  of  loss  prevention  for 
the  Limited  Brands. 

LERPnet  “has  gone  through  some 
growing  pains,”  says  Joseph  LaRocca, 
senior  advisor  on  loss  prevention  at  the 
NRF.  But  he  says  even  in  its  early  stages, 
LERPnet  does  make  a  difference.  A  spe¬ 
cialty  retailer  recently  used  data  from 
LERPnet  to  alert  store  managers  about 
a  booster  bag  ring— shoplifters  using 
specially  lined  bags  to  avoid  setting  off 
security  sensors.  When  the  ring  hit  one 
of  its  stores,  managers  recognized  the 
crime  as  it  was  in  process,  preventing  a 
$1,500  loss. 

In  late  July,  a  pilot  program  tying 
LERPnet  wdth  geomapping  data  was 
launched.  It  continues  to  work  to  bring 
major  retailers  into  the  system,  which 
now  has  close  to  100,000  incidents  in 
its  database.  By  the  end  of  September, 
LERPnet  should  connect  with  the  FBI- 
led  Law  Enforcement  Online  (LEO)  net¬ 
work,  opening  access  to  law  enforcement 
officials  nationwide. 

Jones  says  the  concept  will  work. 
When  he  was  at  Limited  Brands,  it 
shared  data  with  several  other  specialty 
brands  such  as  Abercrombie  &  Fitch. 
They  even  approached  mall  developers 
to  involve  them  in  helping  to  fight  retail 
theft  in  malls  by  developing  a  training 
program  for  them. 

Separately,  Chroust  says,  a  small 
clothing-goods  retailer  in  Washington, 
whose  store  was  ripped  offby  gang  mem¬ 
bers,  posted  video  of  the  crime  on  You¬ 
Tube.  Other  retailers  in  the  area  saw  it 
and  recognized  the  thieves,  who  had  also 
hit  their  stores.  Banding  their  evidence 
together,  they  approached  Washington 
police,  who  also  recognized  the  thieves 
in  the  video  and  were  able  to  bust  them. 

Technology  giveth,  technology  taketh 
away.  Internet  auction  sites  are  an  impor¬ 
tant  tool  for  thieves.  They  can  sell  goods 
to  wider  audiences  than  those  of  flea 
markets.  Jones  says  he  joined  eBay  in 


The  shadow 
economy  for 
stolen  identity 
and  account 
information 
continues  to  evolve 


As  if  CSOs  don’t  have  enough  on 
their  plates,  they  now  need  to  beat  back 
made  men,  capos  and  the  other  elements 
of  the  Mafia.  Yes,  the  Mafia  is  formally 
involved  in  cybercrime,  or  so  alleges 
the  U.S.  attorney  for  Florida,  who  filed 
charges  against  associates  of  the  Bonanno 
crime  family  that  included  pilfering  data 
from  Lexis-Nexis. 

The  Mafia  engaging  in  cybercrime 
might  sound  like  your  grandmother  join¬ 
ing  Facebook.  In  fact,  “the  majority  of 
data  breaches  are  the  result  of  organized 
crime,”  says  Nick  Holland,  an  analj^t  at 
Aite  Group  in  Boston.  That  doesn’t  mean 
it’s  the  conventional  Mafia  pulling  the 
strings— though  it  can  be.  In  fact,  it’s  hard 
to  tell  just  who  is  in  control  sometimes. 
For  the  most  part,  cybergroups  that 
become  notorious,  like  the  Rockfish  or 
the  old  Russian  Business  Network,  do  so 
because  very  few  cybercrime  groups  pub¬ 
licize  themselves,  says  Steve  SantorelU 
of  Team  Cymru.  (Cymru,  pronounced 
cumri,  is  the  Welsh  word  for  Wales.) 

In  fact,  observers  sometimes  disagree 
on  just  who’s  behind  a  crime.  Take  last 


lllustrstslon  by  Nancy-^tatil 


year’s  RBS  Worldpay  scam,  which  saw 
hackers  not  only  make  off  with  1.5  million 
records  from  the  electronic  payments 
processor,  but  make  fake  ATM  cards 
used  to  withdraw  more  than  $9  million  in 
49  cities  around  the  world  in  a  one-hour 
period.  Frank  Heidt,  CEO  of  Leviathan 
Security  in  Seattle,  thinks  this  was  a  case 
of  an  extremely  well-organized  group 
with  roots  in  Russian  organized  crime. 
Peter  Cassidy,  director  of  research  at  Tri- 
arche  Consulting  Group  in  Cambridge, 
Mass.,  says  it  looks  like  a  franchise-style 
operation  in  which  the  data  and  details 
on  how  and  when  to  use  it  was  sold  to 
groups  operating  in  different  regions. 

Either  way,  it’s  organized  crime.  Just  a 
few  years  ago,  most  hackers  either  acted 
for  the  glory  of  spreading  a  virus  they’d 
written,  or  handled  all  aspects  of  an 
operation,  from  phishing  to  budding  fake 
websites  to  cashing  in  on  the  fraud.  Since 
then,  cybercriminals  have  discovered 
Adam  Smith.  They  specialize,  they  cre¬ 
ate  markets  and  above  aU,  they’re  entre¬ 
preneurial.  And  because  of  the  Internet, 
“you  get  radical  distribution  of  labor  and 
a  radically  fast  ability  to  recruit  skills,” 
says  Cassidy. 

These  organizations  adopt  various 
structures.  The  crime  family  model 
obviously  still  appHes  when  the  Mafia 
is  involved.  Some  groups  that  seem 
independent  of  the  Mafia,  like  the 
people  who  ran  Carder’s  Market— an 
underground  site  for  buying  and  sell¬ 
ing  credit  card  information— also  use  a 
Mafia-like  structure  and  terminology. 
Phishing  groups  tend  to  work  like  Japa¬ 
nese  keiretsu,  says  Cassidy,  who  is  also 
secretary  of  the  Anti-Phishing  Working 
Group.  Cybercriminals  sometimes  use  a 
hub-and-spoke  model,  where  a  criminal 
mastermind  puts  together  various  tools 
and  people  needed  to  puU  off  a  job.  Want 
a  botnet?  A  Symantec  study  found  that 
on  average,  you  could  gain  use  of  one 
for  $225.  Need  a  keystroke  logger?  Aver¬ 
age  price:  $23.  Want  someone  to  host  a 
phishing  scam?  That  can  be  had  for  as 
little  as  $2.  A  specific  vulnerability  in 
financial  sites  might  cost  $3,000. 

You  can  even  get  specialized  ver¬ 
sions  of  malware,  websites,  etc.— the 
Verizon  2009  Data  Breach  report  found 


that  59  percent  of  the  malware  it  saw  was 
customized.  Sometimes  the  criminals 
adopt  models  that  look  like  the  software 
business.  You  can  literally  buy  “fraud  as 
a  service,”  where  criminals  subscribe  to 
hosted  services— a  story  first  illuminated 
in  CSO’s  September  2007  article,  “Inside 
the  Global  Hacker  Service  Economy”  (see 
www.csoonline.com/article/4S686s). 

Between  70  percent  and  80  percent 
of  malware  now  comes  from  organized 
groups,  estimates  Bogdan  Dumitru,  CTO 
at  BitDefender,  an  antivirus  firm  based  in 
Romania.  Lone  hackers  stiU  break  new 
ground:  Dumitru  says  Twitter  malware 
that’s  popped  up  recently  was  “developed 
by  a  kid.  But  in  the  next  two  months  we’U 
probably  see  organized  entities  taking 
advantage  of  it.” 

The  fluidity  of  cyberorganizations 
can  make  them  more  difficult  for  law 
enforcement  to  penetrate  than  their 
real-world  counterparts.  But  it’s  not 
impossible.  DarkMarket,  a  spam  and 
phishing  forum,  eventually  was  taken 
over  and  hosted  on  FBI  servers.  J.  Keith 


Mularski,  the  supervisory  special  agent 
at  the  FBI  assigned  to  the  National  Cyber 
Forensics  and  Training  Unit,  ran  this  site 
undercover,  posing  as  a  spammer  named 
MasterSplynter. 

DarkMarket  started  leading  to  arrests 
of  prominent  spammers  and  phishers  in 
May  2007.  It  eventually  closed  in  October 
2008,  after  the  arrest  of  DarkMarket’s 
boss,  a  Turkish  hacker  whose  handle  was 
Chao,  leaving  Mularski  as  the  last  leader 
standing.  Ultimately,  sixty  people— most 
of  them  the  most  powerful  members  of 
DarkMarket— were  arrested  in  at  least 
four  countries:  Germany,  Turkey,  the 
U.K.  and  the  U.S.  The  FBI  also  got  six 
complete  malware  packages  and  may 
have  prevented  $70  miUion  in  losses  at 
financial  services  firms.  Plus,  it  arrested 
Chao  and  his  seven-member  gang  in 
Istanbul  before  they  could  ship  out  about 
1,000  ATM  skimmers,  which  prevented 
an  additional  $33  million  in  losses. 

“Sure,  they’ll  reorganize,  but  with 
every  law  enforcement  action,  it’s  a  little 
bit  harder  to  regroup,”  says  Mularski. 


Offers  You  Can’t  Refuse? 

What  are  the  costs  of  e-crime  goods  on  hacking  and  identity  theft 
sites?  Researchers  at  Team  Cymru  offer  the  foltowing  numbers- 
“genuine  market  values,  as  opposed  to  advertised  prices.” 


FuilZJ  $10.  A  “Full"  means 
a  victim's  fu  ll  credit  ot  debit 
card  information  in  concert 
with  a  victim's  date  of  birth,. 
Social  Security  number  and 
rnother's  maiden  name. 
Occasianally,  afuti  will  also 
include  a  driver’s  licence  .  , 
number.  Fuliz  are  typically 
obtained  via  phishing. 

Blanks:  $3  per  blank,  but 
that’s  only  if  you’re  ordering 
250,00.0  or  more.,TyRically, 
plastic  goes  for ,$25  to  $30 
per  card.  Chipped  blanks  go 
for  $45  to  $50.  ' 

E-jmail:lists:’$5  per  mb. 

Botnets:  “varies  depend¬ 
ing  on  the,  node  count,  avail¬ 


able,  support,  etc.  It  ranges 
from  a  few  cents  for  botnets 
thatwillonly  be  usedfor 
spamming,  up  to  20  cents  for 
botnets  that  will  be  engaged 
in  DDoS  attacks  (resulting 
in  more  attention  and  more 
investigation)  or  that  have 
very  high  bandvvidth  (.edu’s 
or  .kr  hosts).  This  is  per  node 
and  for  rental  for  a  specific 
task,  but  these  prices  have 
the  most  variation  of  any 
of  these  commodities,  due 
to  myriad  factors.  I've  seen 
botnets  given  away  for  free, 
I’ve  seen  botnets  go  for  slg- 
riiflcant  sums  of  money,"  says 
Santorelli. 

Loads;  some  variance,  but 


a  good  standard  is  13  cents 
in  the  U.S.,  8  cents  in  Canada 
.and  7  cents  in  Western 
Europe.  Installs  on  Vista 
machines  are  seen  as  the 
most  valuable. 

U.K.  bank  account 

numbersi  Usually  a  per¬ 
centage  of  available  funds. 
Anywhere  from  1  percent  to 
10  percent. 

U.S.  bank  accounts: 

$10  per  account  of  most 
banks. 

Dumps:  U.S.  “Classic” 
credit  cards  $100,  U.S.  Gold/ 
Platinum/Corporate  cards 
$150  to  $200  depending  on 
size  of  order. 


Social 

networks  “are 
gold  mines  to 
social  engineers,  to 
someone  who  wants 
to  get  to  the  CFO  of 
an  organization  to 
attack  them  ” 

-JOSHUA  CORMAN,  PRINCIPAL 
SECURITY  STRATEGIST,  IBM 
INTERNET  SECURITY  SYSTEMS 

from  market  forces.  They’ve  so  flooded 
the  cyber  black  market  with  credit  card 
data  that  prices  are  falling.  Organized 
crime  has  shifted  its  targets.  They’re 
after  medical  records,  which  are  valu¬ 
able.  They  target  company  CFOs,  aiming 
to  get  access  to  corporate  bank  accounts 
and  wire  money  out  of  them.  That  tactic 
has  had  success:  In  late  July,  The  Washing¬ 
ton  Post  detailed  how  stealth  Trojans  had 
been  used  to  infect  a  PC  used  by  a  county 
treasurer,  a  school  district  and  the  head  of 
a  small  business.  Hundreds  of  thousands 
of  dollars  were  wired  to  money  mules  who 
then  sent  the  funds  on  to  bank  accounts  in 
the  Ukraine  and  Russia. 

Targeted  industries  are  also  shifting. 
While  financial  firms  make  the  juiciest 
targets,  Borenstein  says  that  RSA  is  see¬ 
ing  more  activity  around  the  healthcare, 
manufacturing  and  government  sectors. 

Also  on  the  rise  are  call  center  scams. 
Organized  criminals  may  get  access  to 
someone’s  bank  or  brokerage  accoimt  but 
be  unable  to  transfer  money  because  of 
Web  protections  put  in  place  by  financial 
firms.  So  the  criminals  call  customer  ser¬ 
vice  to  complain  and  even  bully,  hoping 
to  get  help  in  transferring  money  out. 

Meanwhile,  social  networks  “are  gold 
mines  to  social  engineers,  to  someone 
who  wants  to  get  to  the  CFO  of  an  orga¬ 
nization  to  attack  them,”  says  Joshua 
Corman,  principal  security  strategist  at 
IBM  Internet  Security  Systems.  Corman 
says  CSOs  need  to  tell  employees  not  to 
answer  things  like  those  “25  Questions” 
surveys  that  run  rampant  on  sites  like 
Facebook  because  the  answers  often 


include  information  used  as  hints  for 
account  passwords. 

BATTLING  BACK 

Even  as  cybercriminals  get  more  sophisti¬ 
cated,  the  best  ways  to  stop  them  are  often 
the  simple  ones.  Verizon’s  report  said 
that  many  credit  card  breaches  occurred 
at  firms  with  minimal  PCI  compliance. 
It  also  found  that  51  percent  of  firms 
breached  had  never  changed  the  default 
vendor  passwords  for  equipment. 

Equipment  itself  gets  overrated  by 
CSOs  and  CISOs,  says  Michael  Levin, 
former  deputy  director  of  the  National 
Cyber  Security  Division  of  the  Depart¬ 
ment  of  Homeland  Security.  “They  are 
wasting  money  on  hardware  and  soft¬ 
ware,”  he  says.  Instead,  they  should 
do  things  like  tell  employees  not  to 
click  on  e-mail  attachments  and  other 
basics.  Levin  has  cofounded  the  Center 
for  Information  Security  Awareness  in 
Fairfax,  Va.,  which  has  prepared  the 
free,  online  awareness  training  offered 
through  Infraguard,  the  FBI’s  regional 
effort  to  work  more  closely  with  private 
companies  on  cybercrime. 

CSOs  should  get  involved  with  groups 
like  Infraguard  or  develop  relationships 
with  regional  FBI  or  Secret  Service 
agents  and  local  law  enforcement.  They 
should  also  regularly  assess  their  risk 
levels.  “You  have  to  assess  every  record 
and  every  piece  of  data  in  the  place  for  its 
value  to  criminals,”  says  Cassidy. 

CSOs  should  also  be  prepared  to 
do  much  of  their  own  forensics  work 
before  going  to  law  enforcement.  Levin 
says  once  law  enforcement  is  involved, 
they  may  need  a  search  warrant  or  even 
a  grand  jury  subpoena  to  do  things  like 
explore  company  computers  for  mal¬ 
ware,  slowing  the  process. 

Above  all,  talk  to  people  outside  of 
the  security  department  or  IT,  and  talk 
to  peers  at  other  companies,  especially 
financial  firms,  which  are  on  the  front 
lines  of  the  corporate  cyberwars.  The 
cybercriminals  don’t  cloister  themselves, 
and  CSOs  can’t  either.  ■ 


Michael  Fitzgerald  is  a  frequent  contributor 
to  CSO.  Send  feedback  to  editor  Derek  Slater 
at  dslater@cxo.com. 


The  DarkMarket  operation  has  at 
least  temporarily  driven  many  cyber- 
criminals  off  of  Internet  Relay  Chat  and 
buUetin  boards,  says  Team  Cymru’s  San- 
torelli.  'They’ve  opted  instead  for  private 
instant  messenger  groups  that  they  con¬ 
trol,  says  SantoreUi. 

DarkMarket  involved  law  enforce¬ 
ment  groups  working  together  across 
borders.  That’s  a  good  step  in  what 
remains  a  challenge.  Cybercriminals 
“are  good  at  finding  cracks  in  interna¬ 
tional  law,”  says  Yuval  Ben-Itzhak,  CTO 
of  security  firm  Finjan.  A  group  might  be 
based  in  one  country,  use  servers  in  a  sec¬ 
ond  and  commit  crimes  in  a  third. 

This  problem  has  led  to  calls  for  better 
international  law.  For  instance,  Brazil  has 
become  a  hotbed  of  bank  fraud,  phishing 
and  Trojan  activities  since  the  penalties 
there  are  very  light.  Some  are  even  calling 
for  a  group  that  can  force  Internet  service 
providers  to  cut  off  servers  that  obviously 
house  phishers. 

More  countries  may  be  taking  cyber¬ 
crime  seriously.  While  Eastern  Europe  is 
seen  as  a  kind  of  Wild  Cyber  West,  last 
year,  Romanian  police  arrested  20  people 
in  Ramnicu  V^cea  and  Dragasani,  towns 
known  for  organized  eBay  scams  (one 
tried  to  auction  off  a  Romanian  city  hall). 
Florin  Talpes,  BitDefender’s  CEO,  says 
joining  the  European  Union  in  2007  has 
changed  attitudes  in  Romania  and  in  Bul¬ 
garia,  which  have  created  stronger  legal 
frameworks  for  fighting  cybercrime. 

Mularski,  however,  cites  Romania  as 
a  country  where  traditional  organized 
crime  clearly  has  become  involved  in 
cybercrime.  The  FBI  arrested  35  Roma¬ 
nians  running  a  phishing  and  ATM 
skimming  scam  in  Los  Angeles,  and 
Mularski  says  they  were  connected  with 
Romanian  organized  crime.  He  concedes 
that  the  FBI  did  work  with  Romanian 
law  enforcement  to  make  80  arrests  in 
the  two  countries  in  a  separate  case.  At 
least  there  are  arrests  in  Romania.  That 
rarely  happens  in  a  place  like  Russia, 
although  two  unnamed  Russian  hackers 
were  recently  indicted  in  the  Heartland 
and  Hannaford  hacking  cases— along 
with  US-based  alleged  mastermind 
Albert  Gonzalez. 

Still,  even  cybercrime  groups  suffer 


[  undercover] 

By  Anonymous 


A  Day  in  the  Life  of  Two 
IT  Security  Cranks 

Two  IT  security  guys  survive  a  routine  day  the  way  many  of  us  do: 
by  venting  away  their  daily  challenges  in  140  characters  or  less 


Editor’s  note:  Let’s  face  it— 
sometimes  the  only  way  for 
an  IT  security  practitioner  to 
make  it  through  a  work  day  is 
to  vent  to  someone  about  the 
ongoing  foUy  of  misconfigured  networks, 
clueless  vendors  and  contractors,  pointy- 
headed  bosses  (they  do  exist  beyond  the 
Dilbert  imrverse)  and  users  who  do 
stupid  things. 

Thanks  to  Twitter  and  one’s 
ability  to  mask  his  identity  with 
colorful  user  names,  a  lot  of 
that  venting  now  unfolds  to  the 
enjoyment  of  a  wider  group 
of  people. 

Two  particularly  cantanker¬ 
ous  IT  security  curmudgeons 
have  given  us  permission  to 
capture  a  snapshot  of  their  lives 
as  told  in  daily  'Twitter  rants. 

The  editor  has  taken  the  liberty 
of  setting  up  these  so-called 
“tweets”  in  a  day-long,  diary 
format.  The  goal  is  to  show 
readers  that  many  of  their  daily 
challenges  are  indeed  shared  by 
others  and  that  sometimes  the 
best  defense  to  one’s  sanity  is  a 
bit  of  venting. 

To  protect  the  innocent,  we’ll 
call  these  guys  Mick  and  Larry. 

10  P.M.  SUNDAY 
Mick:  “Tired,  and  some  dimwit  sched¬ 
uled  a  Monday  tomorrow.” 

6  A.M  TO  8  A.M.  MONDAY 
The  day  begins  with  our  heroes  braving  the 
traffic  and  long  coffee-shop  lines... 

Mick:  “Momin’  world.  It’s  a  cyber- 
tastic  Monday  morning.” 

Upon  looking  out  the  window... 

Mick:  “Ah,  schweet,  another  crappy 


morning.  A  cool,  wet  puppy  nose  stuck  in 
the  butt  of  the  day.” 

Mick:  “I  am  feeling  especially  stupid 
this  morning.  Please  sir,  may  I  have  more 
caffeine?” 

Later,  at  the  local  Starbucks... 

Mick:  “Dawdling  in  line  at  Sbux 
should  be  punishable  by  death.  I  need  cof¬ 
fee,  you  are  in  my  way,  die  now.” 


Mick:  “Oh,  and  fall  so  you  don’t  block 
the  line.  I  have  largely  cut  back  to  two 
doses  a  day,  a  6-shot  latte  a.m.,  a  Dr.  Pep¬ 
per  p.m.  Yes,  that  is  cutting  back  for  me.” 

Things  don’t  get  much  better  on  the  road... 

Mick:  “Rain.  As  I  commute  in  the 
crap  again,  I  take  solace  in  knowing  some 
nearby  tourist  has  been  waiting  all  year  to 
have  his  vacation  ruined.” 

A  few  state  lines  away,  harry  faces  the  day. 
He  wakes  up  with  a  feeling  of dread... 


Larry:  “Shaking  off  the  bad  feeling. 
OK,  attempting  to  do  so.” 

Then  collects  himself... 

Larry:  “OK  let’s  try  this  again.  Meds, 
check.  Coffee,  check.  Headphones  and 
sunglasses  on.  Look  out  day  job,  here 
I  come.” 

On  the  train  to  work,  a  text  message 
arrives  in  his  BlackBerry  inbox  like  a  ray 
of  sunshine.  His  spirits  instantly 
improve... 

Larry:  “Beautiful  Monday 
moment!  Two-hour  afternoon 
meeting  cancelled.  If  there  was 
more  room  on  this  train  I’d 
dance.  Woohoo!” 

Meanwhile,  Mick  settles  in  at 
the  office... 

Mick:  “Just  another  day  at 
the  Packet  Orphanage  that  is  my 
cubicle.” 

He  checks  his  voice  mail  box... 
Mick:  “Another  eternal  and 
unanswerable  question:  Why  do 
so  many  people  insist  on  leaving 
voice  mail  messages  without 
their  !@#$  caU-back  numbers?” 

He  takes  time  to  answer  a  ques¬ 
tion  from  one  of  his  Twitterfriends, 
who  asks,  “Why  is  it  the  day  I  get 
two  hours  of sleep  I  get  tossed  into 
a  surprise  meeting  with  a  passel  ofgovie 
CIOs?” 

Mick  responds:  “Look  at  it  this  way: 

If  you  woke  up  happy  and  well  rested,  they 
would  ruin  it  anyway,  so  go  with  it.” 

Mick,  reviewing  the  week’s  events: 
“New  product  training  this  week.  Good 
stuff,  but  I  may  doze  off  *occasionally.*” 

8  A.M.  TO  NOON 

Larry,  happy  the  hour  before  because  a 
meeting  was  canceled,  learns  that  there  will  be 


sn  www.csoonline.com  September  2009 


Photo  by  Veer 


a  meeting  after  all.  His  spirits  sink... 

Larry:  “And  the  marketing  team  said: 
Let  there  be  meetings!  And  meetings  begot 
meetings.  Which  begot  more  meetings. 
And  we  met.” 

Back  in  the  Packet  Orphanage  (Mick’s 
cubicle),  the  monotony  of  the  morning  is 
apparent... 

Mick:  “SMTP  logs,  SMTP  logs,  SMTP 
logs.  Who’s  jealous?” 

A  FEW  MINUTES  LATER... 

Mick:  “Log  files,  packet  captures,  log 
files,  packet  captures,  log  files,  packet  cap¬ 
tures,  log  files,  packet  captures,  log  files, 
packet  captures...” 

Mick:  “May  dive  into  Visio  and  make  a 
diagram  of  the  network  for  entertainment 
value.  LAN  has  2  GW,  each  of  them  w/ 
3GW,  all  6  same,  double  NATing.” 

Then,  the  obligatory  talking  back  to  a 
badly-behaving  piece  of  software... 

Mick:  “Oh  thank  you  Clam  AV, 
another  false  positive  to  waste  my  time 
this  morning.  Could  you  waste  a  pile  of 
RAM  and  maybe  a  few  CPU  cycles,  too? 

A  friend  on  Twitter  tries  to  buck  him  up, 
writing,  “At  least  it  sucks  for  free.  I’mgladno 
one  *pays*  for  crappy  antivirus.  That  would 
be  terrible.” 

At  Larry’s  office,  the  dreaded  vendor  brief¬ 
ings  commence... 

Larry:  “Hearing  about  ‘PCI  Compli¬ 
ancy.’  Um,  fail  in  progress.  Check  your 
customer  business  line  before  you 
show  up.” 

Tbe  visiting  vendors  continue  to  frustrate. 
Fortunately  for  Larry,  there’s  a  BlackBerry 
in  the  room.  He  uses  it  to  share  his  pain  via 
TwitterBerry... 

Larry:  “For  [expletive  deleted]  sake! 
$vendors,  know  WHO  your  customer/ 
audience  IS  before  you  show  up.” 

Finally,  the  trauma  passes  and  it’s  time 
to  pick  up  the  pieces  and prep  for  the  after- 

“Half  of  all  security 
pros  unhappy? 

The  happy  50 
percent  aren’t 
paying  attention. 

Or  are  heavily 
medicated.” 


noon  drudgery... 

Larry:  “Crawling  out  of  my  morning  of 
$vendor  meetings.  Need  a  nap/beer/food 
(circle  choice).” 

NOON  TO  6: 30  P.M. 

In  both  offices,  a  breakdown  of  all  control 
and  sanity  commences... 

Mick:  “No  problem.  I’ll  just  use  my 
psychic  powers  to  diagnose  this.  It  is 
coming— I  see  an,  hmm,  isn’t  clear  yet, 
looks  like— yes,  I  see  an  idiot.” 

Mick:  “Speaking  of  psychics,  why  do 
they  advert  things  like  “psychics  on  duty 
all  day,”  shouldn’t  they  just  show  up  when 
they  know  they’re  needed?” 

Mick:  “Why  do  people  insist  on  trying 
to  clean  pwned  Windoze  desktops?  Stop  it, 
it  won’t  work.  Sing  the  song:  Fdisk,  format, 
re-in-stall,  do  dah.” 

Larry:  ‘"There  are  some  people  who 
should  be  fed  to  a  pack  of  ravenous  gerbils 
for  calling  themselves  ‘security’  anything.” 

Larry:  “Here’s  a  great  idea.  It’s  pouring 
rain.  What  better  time  to  have  an  evacua¬ 
tion  drill,  /me  head/desk/repeat.” 

Later  in  the  afternoon,  a  reorganization  is 
announced  at  Larry’s  company.  Fortunately, 
he  lives  to  tell  about  it... 

Larry:  “Survived  reorg.  Heading 
home  after  some  wobbly  pops  with 
the  team.” 

Back  at  the  Packet  Orphanage,  coworkers, 
contractors  and  other  assorted  characters  test 
Mick  like  never  before... 

Mick:  “Odd  that  there  are  no  Applica¬ 
tion  Security  Specialist  thongs  to  let  folks 
show  off  their...” 

Mick:  “I  have  never  understood  people 
who  pay  to  be  abused.  If  your  vendor 
doesn’t  want  your  business,  don’t  give  it 
to  them.” 

Mick:  “Pro  Tip:  Don’t  abuse  ist-level 
support  staff  and  then  expect  that  senior 
engineers  won’t  know  you’re  an  arse.” 

Mick:  “The  fact  that  you  are  too  lazy 
to  read  a  manual  or  KB  article  does  not 
elevate  the  priority  of  your  case.  It  even 
may  do  the  opposite.” 

Mick:  “Pro  Tip:  Update  and  patch  your 
stuff  before  calling  support.  Love  the  ‘we 
fixed  that  years  ago’  answer,  really  a  good 
use  of  time.” 

Mick:  “POP!  My  stupidity  breaker  just 
tripped.” 

ABOUT  30  MINUTES  LATER... 

Mick:  “I  can’t  take  it,  the  MORON  who 


tripped  my  stupid  breaker  just  did  it  again. 
Where’s  the  cluebat?” 

Another  tweeter:  “Thunder  outside 
nearby.  Two  150-pound  mastiffs  both  tried 
to  climb  on  my  lap,  whining.  Big  babies.” 

Mick:  “I  have  the  same  problem,  only 
with  support  engineers.” 

Mick:  “Head.  Desk.  Repeat.” 

Mick:  “Backups,  we  don’t  need  no 
stinkin’  backups...  Oh,  crap,  help  me!!” 

Mick:  “There  are  a  lot  of  people  fight¬ 
ing  for  the  mantle  of  “where  good  software 
goes  to  die”  these  days,  aren’t  there?” 

LATE  AFTERNOON... 

Mick:  “Smart  meter  systems  scare  the 
crap  out  of  me.  They  are  networked.  By 
overworked  and  imdertrained  network 
admins.” 

Mick:  “Windows  networking  is  mess¬ 
ing  with  me.  Shocking,  I  know.  It  is  just  a 
route  command,  how  hard  is  that?” 

Mick:  “Reminded  again  that  the  10 
percent  of  Americans  who  are  unem¬ 
ployed  are  not  entirely  the  correct  10 
percent  who  should  be  imemployed.” 

The  day  winds  down  with  some  report 
reading  and  reviewing  of  hiring  practices  in 
his  company  and  elsewhere... 

Mick:  “The  hiring  dilemma:  You  want 
someone  who  can  learn  and  grow  with  the 
job,  but  it’s  much  easier  to  just  fill  need  for 
skill  X  to  put  out  fire.” 

Mick:  “But  meanwhile,  no  one  with 
skill  X  applies,  and  people  who  could 
learn  it  before  you  find  one  continue  to  be 
unemployed.” 

Upon  reading  a  report  claiming  that  half 
of  all  security  pros  (those  responding  to  the 
survey,  anyway)  hate  their  jobs... 

Mick:  “Half  of  all  security  pros 
unhappy?  The  happy  SO  percent 
aren’t  paying  attention.  Or  are  heavily 
medicated.” 

7  P.M.  TO  MIDNIGHT: 

Work  continues from  home... 

Mick:  “One  last  customer’s  problems 
punted  deep  into  QA  territory,  beer  con¬ 
sumed,  things  are  looking  up.” 

“Mick”  and  “Larry”  are  two  IT  security 
practitioners  from  two  different  states  and 
companies.  One  works fora  vendor,  the  other 
is  a  compliance  officer  at  a  large  electrical 
company.  ■ 


Send  feedback  to  Senior  EJitor  Bill  Brenner  at 
bbrenner@cxo.com. 


September  2009  www.csoonline.com 


[  INDUSTRY  view] 

By  Gregory  A.  Paw 


The  Pirate  of  Prague 

A  handbag  maker  is  convicted  under  the  Foreign  Corrupt  Practices  Act. 
Here’s  what  it  means  for  U.S.  companies  doing  business  overseas. 


An  important  trial  under  the 
Foreign  Corrupt  Practices 
Act  ended  with  a  guilty  ver¬ 
dict  in  a  federal  courtroom 
this  summer,  providing  a 
powerful  reminder  of  the  importance  of 
conducting  thorough  reviews  of  foreign 
business  partners  and  investments. 

A  federal  jury  convicted  Frederic  Bourke, 
founder  of  handbag  maker  Dooney  & 
Bourke,  of  conspiring  to  bribe  government 
leaders  in  Azerbaijan  in  a  1998  oil  deal,  in 
violation  of  the  Foreign  Corrupt  Practices 
Act  (FCPA).  Bourke  invested— and  lost— 
$8  million  with  a  Czech  expatriate,  Viktor 
Kozeny,  in  a  bid  to  buy  Socar,  the  state  oil 
company.  Dubbed  the  “Pirate  of  Prague”  by 
Fortune  magazine,  Kozney  remains  a  fugi¬ 
tive,  avoiding  extradition  while  claiming 
the  FCPA  does  not  apply  to  him. 

Prosecutors  charged  that  Bourke  made 
his  investment  knowing  that  Kozeny  gave 
Azeri  public  officials  millions  in  cash  and 
a  secret  two-thirds  interest  in  the  deal. 
Bourke’s  defense  was  that  he  invested  only 
after  his  lawyers  deemed  the  deal  legal.  He 
later  even  traveled  to  alert  Azeri  officials  of 
the  scheme.  But  prosecutors  rebutted  this 
defense  with  evidence  of  Bourke’s  knowl¬ 
edge,  including  his  own  recorded  rhetori¬ 
cal  question:  “Do  you  think  business  is 
done  at  arm’s  length  in  this  part  of  the 
world?”  Jurors  also  heard  weeks  of  testi¬ 
mony  involving  suitcases  stuffed  with  cash 
and  details  of  secretive  walks  in  a  park  to 
discuss  the  deal. 

Prosecutors  argued  that  Bourke  con¬ 
sciously  avoided  learning  about  the  bribes 
by  not  asking  questions  about  the  deal 
terms  and  “sticking  his  head  in  the  sand” 
to  avoid  learning  if  his  partner  paid  bribes 
to  government  officials.  'The  court’s  instruc¬ 


tions  on  willful  blindness  permitted  convic¬ 
tion  if  jurors  found  Bourke  knew  or  took 
steps  to  avoid  learning  of  payments  to  Azeri 
officials.  Jurors  had  to  determine  if  Bourke 
“deliberately  closed  his  eyes”  to  what  other¬ 
wise  would  have  been  obvious  to  him. 

Jurors  emphasized  the  importance  of 
the  court’s  “head  in  the  sand”  instructions. 
The  foreperson  summarized  the  rationale  of 
his  verdict,  stating  “[i]t  was  Kozeny,  it  was 
Azerbaijan,  it  was  a  foreign  country.  We 
thought  he  knew  and  definitely  could  have 
known.  He’s  an  investor.  It’s  his  job  to  know.” 
Another  juror,  recalling  a  time  line  used  by 


Claims  that  business 

is  “always  done 
this  way”  simply 
will  not  serve  as 
defense  under  the 
Foreign  Corrupt 
Practices  Act. 

prosecutors  during  the  closing  argument, 
said  there  were  too  many  “red  flags”  for 
Bourke  not  to  have  known.  A  unanimous 
guilty  verdict  on  the  conspiracy  to  violate 
the  FCPA  resulted. 

The  Justice  Department  made  clear 
in  aggressively  prosecuting  Bourke  that 
companies  cannot  turn  a  blind  eye  to  “red 
flags”  of  improper  payments.  Claims  that 
business  is  “always  done  this  way”  in  other 
parts  of  the  world,  or  that  a  business  part¬ 
ner  made  the  payments  on  his  own,  simply 
will  not  serve  as  defenses  under  the  Foreign 
Corrupt  Practices  Act. 


Vigilance  about  how  a  company’s  inter¬ 
national  business  is  conducted  and  due  dil¬ 
igence  on  international  business  partners 
such  as  sales  agents,  consultants  and  dis¬ 
tributors  are  essential.  Requiring  business 
partners  to  understand  and  abide  by  the 
FCPA  and  the  company’s  compliance  and 
ethics  culture  is  a  similarly  crucial  step. 

Companies  must  make  realistic  assess¬ 
ments  of  the  risk  in  doing  international 
business.  FCPA  audits  must  be  appropriate 
for  the  type  of  risk  posed  by  the  transaction, 
accoimting  for  risks  of  the  particular  indus¬ 
try,  the  prior  history  of  the  organizations,  the 
geographic  region  involved  and  the  nature 
of  the  proposed  business  partner,  including 
its  ties  to  foreign  governments  and  whether 
it  has  been  subject  to  prior  regulatory  or 
media  scrutiny.  As  these  risks  or  the  impor¬ 
tance  of  the  business  partnership  grow,  the 
level  of  rigor  required  in  the  review  must 
expand.  For  key  international  business 
partnerships  or  acquisitions,  nothing  can 
replace  the  value  of  an  in-country  review. 
This  includes  personal  interviews  of  key 
players,  reviews  of  critical  documents  and 
systems,  and  sampling  of  various  account¬ 
ing  issues— all  conducted  by  experienced 
U.S.  legal  and  investigative  staffs  trained 
on  FCPA  and  other  compliance  issues,  and 
working  with  local  experts. 

The  Justice  Department  official  in 
charge  of  FCPA  prosecutions  said  that 
while  it  is  “very  tempting  for  companies 
to  divert  resources,  which  are  scarce,  away 
from  compliance,”  these  companies  “need 
to  be  especially  vigilant  in  this  economic 
climate  to  not  cut  back.”  ■ 


Gregory  A.  Paw  is  a  member  of  Pepper  Ham¬ 
ilton's  White  Collar  and  Corporate  Investiga¬ 
tions  Practice  Group. 


38  www.csoonline.com  September  2009 


NEWSLETTER 

THE  EMPLOYEE  SECURITY  AWARENESS  NEWSLETTER  FROM  THE  EDITORS  AT  CSO 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — ^will  read 
and  retain  the  information. 


^iTy 


0//Vg 


Ve 


fRiVj, 


A/f 


'4cv 


47-1, 


'if  ; 


Subscribe  today! 


f'^0o6/e, 


'^'^ano: 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


O/Wf 


'*5S£5r5 


5SsfeS* 


/  77. 

/%' 


'^k 


ft  ^^ott^L^^vloreny^-or, 


*«o»  '"oft 


/  ".a*  / 

/■S?”  / 
/■%  / 


For  more  information  please  visit 

www.SecuritySmartNewsletter.com 

Security  Smart  is  published  by  CSO,  a  business  unit  of  CXO  Media.  ©  2007  CXO  Media  Inc. 


BUSINESS  RISK  LEADERSHIP 


! 


[  debriefing] 


1.  Cosa  nostra  is  a  Sicilian 
term  meaning: 

a.  Our  dan  c.  Our  family 

b.  Our  house  d.  Our  thing 

2.  ^The  Black  Hand**  refers 
to  this  type  of  crime: 

a.  Extortion  c.  Murder 

b.  Check  fraud  d.  Graffiti 

3.  The  Sicilian  mafia*s  code  of 
silence  or  honor  is  called: 

a.  Resistenza  c.  Valor 

b. Omerta  d.  Bushido 

4.  Which  of  the  following  was 
not  the  name  (or  pseudonym) 
of  a  real  person? 

a.  Donny  Brasco  c.  Nicky  Santoro 

b.  Elliot  Ness  d.  Mario  Puzo 


5.  Which  of  the  following 
people  was  born  in  Sicily? 

a.  Joseph  Bonanno  c.  Meyer  Lansky 

b.  Al  Capone  d.  J.  Edgar  Hoover 

6.  What  was  the  real  name 
of  1970s  American  mafia 
snitch  Jimmy  the  Weasel? 

a.  Salvatore  Gravano 

b.  Aladena  Fratianno 

c.  Charlie  Luciano 

d.  Giuseppe  Di  Stefano 

7.  Chicago  mobster  Alphonse 
Capone  was  convicted 

of  what  crimes? 

a.  Murder  and  extortion 

b.  Racketeering  and  theft 

c.  Tax  evasion  and  bootlegging 

d.  Jaywalking  and  public  drunkenness 


8.  The  term  ^^racketeering** 
was  coined  in  1927  to 
describe  organized  crime 
influence  in  what  group? 

a.  The  Chicago  Police 

b.  The  Teamsters  Union 

c.  Nonunion  dockworkers 

d.  Soccer  moms 

9.  The  RICO  Act,  aimed  at 
protecting  interstate  commerce, 
was  signed  into  effect  by 
which  U.S.  president? 

a.  Calvin  Coolidge 

b.  Dwight  Eisenhower 

c.  Lyndon  Johnson 

d.  Richard  Nixon 


a ’6^8  *8 

‘D  'L  :a  '9  -V  *S  ‘O  *9  ia  ’C  !v  ‘Z  !a  *T  SUIMSNV 


hbw’dyado? 


0-3  Correct:  You  sleep  with  the  fishes  4-6  Correct:  Standup  guy  7-9  Correct:  Made  man 


40  www.csoonline.com  September  2009 


Two-Factor  Authentication 


Even  if  a  hacker  has  your  password,  your  account 
remains  secure  New  York  Times 


Get  the  strong  two-factor  security  you  need 
to  protect  against  today’s  sophisticated 
threats  without  the  hassle  and  cost  of 
yesterday's  technology. 


>PhoneFactor 


Easy  to  Setup,  Manage,  and  Use 
Strong  Dut-of-Band  Authentication 
Rapid  Regulatory  Compliance 
Far  Less  Expensive  Than  Tokens 


1877.NoToken 


www.phonefactor.com 


■5^  ^ 


Instantly,  user  receives  a  call,  simply  answers 
and  presses  #  [or  a  PIN )  to  complete  the  login 


to  the\r 


2  open  charts 


Privacy 


'  trust  vou  with  their  lives.  Do  no  harm 

“data  with  3M  Microlouver  Techno  ogy. 

I  concerns  cured. 

-„Fmers.com/Securitv 


FOR  YOUR  EYES  ONLY 


